From vedaal at hush.com Fri May 1 02:01:06 2009
From: vedaal at hush.com (vedaal at hush.com)
Date: Thu, 30 Apr 2009 20:01:06 -0400
Subject: Selecting cipher to generate a key pair
Message-ID: <20090501000106.CCDC51A003A@smtp.hushmail.com>
>Is it possible to select a specific cipher, such as >Triple-DES or
Blowfish, to use to generate a key pair?
if, by selection, you mean to choose that cipher as the one
protecting your secret key, then yes
use the following options:
--expert
--s2k-cipher-algo name
(either Blowfish or 3DES, or any other one you wish)
n.b.
[1] a key generated this way will still be able to use any cipher
while decrypting or encrypting a pgp message
[2] do not add '--s2k-cipher-algo name' to your gpg.conf,
unless you want all symmetric messages (not encrypted to a Public
Key) to be the same as the cipher of your secret key
vedaal
any ads or links below this message are added by hushmail without
my endorsement or awareness of the nature of the link
--
Save big on Stock Trading Fees. Click Now!
http://tagline.hushmail.com/fc/BLSrjkqa2gbQZjvQvfwfqPj2p6No8bU1TUERhp1RsUquoWLdpYh4lrVcPGA/
From dshaw at jabberwocky.com Fri May 1 04:57:12 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 30 Apr 2009 22:57:12 -0400
Subject: New results against SHA-1
Message-ID:
http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
There is not much hard information yet, but the two big quotes are
"SHA-1 collisions now 2^52" and "Practical collisions are within
resources of a well funded organisation."
David
From allen.schultz at gmail.com Fri May 1 05:08:41 2009
From: allen.schultz at gmail.com (Allen Schultz)
Date: Thu, 30 Apr 2009 21:08:41 -0600
Subject: Selecting cipher to generate a key pair
In-Reply-To: <20090501000106.CCDC51A003A@smtp.hushmail.com>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com>
Message-ID: <49FA67B9.8070708@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
vedaal at hush.com wrote:
> (either Blowfish or 3DES, or any other one you wish)
What's the default to encrypting/hashing the secret key? And how good is it?
Allen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkn6Z7kACgkQV5r3Eu55xjanrACfVimubOHp5KgXJGEg1elOoTml
jisAn1OYTpLp8Dz9V6Ld/ppp9gL4OpXS
=o0AU
-----END PGP SIGNATURE-----
From rjh at sixdemonbag.org Fri May 1 06:13:49 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 01 May 2009 00:13:49 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FA67B9.8070708@gmail.com>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com>
<49FA67B9.8070708@gmail.com>
Message-ID: <49FA76FD.4040501@sixdemonbag.org>
Allen Schultz wrote:
> What's the default to encrypting/hashing the secret key? And how good is it?
CAST5-128.
It's hard to talk about how good it is. Cryptography is an intensively
mathematical discipline, and most people are not very well-equipped to
discuss those details.
Ultimately, it would be like arguing whether King Kong or Godzilla is
better at urban destruction. Biologists can argue until the cows come
home which one would be better and why, but from the perspective of your
average inhabitant of Tokyo or New York City the answer is, "Who cares?
Get out of town _right now_!"
>From the perspective of the overwhelming majority of OpenPGP users,
CAST5-128 does the job just fine. The only instances I'm aware of in
which CAST5-128 doesn't do the job well are ones where bureaucratic
rules require specific algorithms, and CAST5-128 isn't on that
checklist. That's a bureaucratic failing, though, not a failing of
CAST5-128.
From atom at smasher.org Fri May 1 05:58:47 2009
From: atom at smasher.org (Atom Smasher)
Date: Fri, 1 May 2009 15:58:47 +1200 (NZST)
Subject: New results against SHA-1
In-Reply-To:
References:
Message-ID: <20090501035849.7658.qmail@smasher.org>
On Thu, 30 Apr 2009, David Shaw wrote:
> http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
>
> There is not much hard information yet, but the two big quotes are
> "SHA-1 collisions now 2^52" and "Practical collisions are within
> resources of a well funded organisation."
===================
so... when is the open-pgp spec moving beyond SHA1 hashes to identify
public keys? what's next? will it have to be a bigger hash?
--
...atom
________________________
http://atom.smasher.org/
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"Workers of the World, Unite!
You have nothing to lose but your chains."
-- Karl Marx, 1848
From cathy.smith at pnl.gov Fri May 1 18:08:44 2009
From: cathy.smith at pnl.gov (Smith, Cathy)
Date: Fri, 1 May 2009 09:08:44 -0700
Subject: Selecting cipher to generate a key pair
In-Reply-To: <255999BBAD1AEE4EA6AA193F66611642AEAA0A@EMAIL03.pnl.gov>
References: <255999BBAD1AEE4EA6AA193F66611642AEAA0A@EMAIL03.pnl.gov>
Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA1C@EMAIL03.pnl.gov>
My apologies to the group. I meant to say
gpg --gen-key
I have a customer who can not accept our pgp public key. They are
asking for a specific cipher to be used in generating the public key.
After some reading yesterday, it seemed that gpg might be the solution.
I don't have any experience with gpg, and limited pgp experience.
Regards,
Cathy
---
Cathy L. Smith
Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith at pnl.gov
-----Original Message-----
From: Smith, Cathy
Sent: Thursday, April 30, 2009 2:54 PM
To: 'gnupg-users at gnupg.org'
Subject: Selecting cipher to generate a key pair
Is it possible to select a specific cipher, such as Triple-DES or
Blowfish, to use to generate a key pair?
I've read email posted in the archives, and FAQ that indicates this is
possible. I don't see an option to do that just running
pgp --gen-key
Thanks.
Cathy
---
Cathy L. Smith
Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith at pnl.gov
From vedaal at hush.com Fri May 1 20:41:04 2009
From: vedaal at hush.com (vedaal at hush.com)
Date: Fri, 01 May 2009 14:41:04 -0400
Subject: Selecting cipher to generate a key pair
Message-ID: <20090501184105.0963820040@smtp.hushmail.com>
"Smith, Cathy" wrote on
Date: 2009-05-01 16:08:44 :
>I have a customer who can not accept our pgp public key.
>They are asking for a specific cipher to be used in generating the
public key.
this sounds like there might be a 'problem' ...
there are people who 'can' use 'any' cipher, but prefer a
particular one,
or have a company policy to use a specific one, e.g . AES-256 or
3DES
and there are people whose programs can use only 'one' cipher, and
no others
at the risk of taking 'wild guesses' ;-)
the only situations i can think of where a person 'cannot' accept
anything other than one cipher are:
[1] a die-hard pgp 2.x user who needs a v3 key using IDEA
(yes, they still exist, but probably won't survive the move to 64
bit systems)
[2] a company that is bound by some standard to use AES or 3DES
(i can't imagine any company really insisting on 'only Blowfish'
and nothing else ;-) )
[ anyway, it was 'cracked on 24' and shown on network tv to have a
'backdoor' ;-) ]
{please excuse the 'semi-off' geek humor,
blowfish has 'no' backdoor and is still quite secure,
no matter what hollywood writers say ;-)) }
if you have situation [1], you are out of luck using any current
gnupg or pgp,
(there was a post on how to do this with an older gnupg version,
but it would be much simpler to just use pgp2.x to generate it)
if you have situation [2],
it is much easier,
temporarily put the following 2 lines in your gpg.conf
expert
s2k-cipher-algo name ('name' is the name of the cipher your client
wants)
then save your gpg.conf
and run
gpg --gen-key
the key will be generated with the cipher your client wants
if this still doesn't help,
then please post 'exactly' what you need done
vedaal
any ads or links below this message are added by hushmail without
my endorsement or awareness of the nature of the link
--
Click to learn about options trading and get the latest information.
http://tagline.hushmail.com/fc/BLSrjkqecvgtaqxBQoBwCwuiy1xiCJDJ0xgdXq4JeQ5VIifkutIcKtAkaYI/
From cathy.smith at pnl.gov Fri May 1 23:42:26 2009
From: cathy.smith at pnl.gov (Smith, Cathy)
Date: Fri, 1 May 2009 14:42:26 -0700
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FA76FD.4040501@sixdemonbag.org>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com>
<49FA76FD.4040501@sixdemonbag.org>
Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
Is there a brief explanation available as to how the cipher is used in
generating the private/public keys? It seems this is separate from the
cipher that is chosen to encrypt my data.
Thanks.
Cathy
---
Cathy L. Smith
Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith at pnl.gov
-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Robert J. Hansen
Sent: Thursday, April 30, 2009 9:14 PM
To: Allen Schultz
Cc: gnupg-users
Subject: Re: Selecting cipher to generate a key pair
Allen Schultz wrote:
> What's the default to encrypting/hashing the secret key? And how good
is it?
CAST5-128.
It's hard to talk about how good it is. Cryptography is an intensively
mathematical discipline, and most people are not very well-equipped to
discuss those details.
Ultimately, it would be like arguing whether King Kong or Godzilla is
better at urban destruction. Biologists can argue until the cows come
home which one would be better and why, but from the perspective of your
average inhabitant of Tokyo or New York City the answer is, "Who cares?
Get out of town _right now_!"
>From the perspective of the overwhelming majority of OpenPGP users,
CAST5-128 does the job just fine. The only instances I'm aware of in
which CAST5-128 doesn't do the job well are ones where bureaucratic
rules require specific algorithms, and CAST5-128 isn't on that
checklist. That's a bureaucratic failing, though, not a failing of
CAST5-128.
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
From rjh at sixdemonbag.org Sat May 2 00:57:34 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 01 May 2009 18:57:34 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com>
<49FA76FD.4040501@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
Message-ID: <49FB7E5E.9060101@sixdemonbag.org>
Smith, Cathy wrote:
> Is there a brief explanation available as to how the cipher is used in
> generating the private/public keys? It seems this is separate from the
> cipher that is chosen to encrypt my data.
rjh at chronicles:~$ gpg --enable-dsa2 --gen-key
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
If you choose #1, you will be using, by default, DSA as a signature
algorithm, AES256 as a general-purpose message encryption algorithm,
Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm.
None of these algorithms are actually used to generate the
private/public keys, though. The private and public keys are just
numbers. GnuPG generates those numbers from a cryptographically secure
pseudorandom number generator, then subjects the numbers to a battery of
mathematical tests to make sure the keys are safe to use.
Is it possible for you to tell us what algorithms your correspondent
expects you to use? Knowing that might help us out quite a bit.
From cathy.smith at pnl.gov Sat May 2 01:04:41 2009
From: cathy.smith at pnl.gov (Smith, Cathy)
Date: Fri, 1 May 2009 16:04:41 -0700
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FB7E5E.9060101@sixdemonbag.org>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com>
<49FA76FD.4040501@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
<49FB7E5E.9060101@sixdemonbag.org>
Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov>
The customer stated that he can accept a public key generated with
either Blowfish or Triple-DES. I wasn't sure what he needed because all
I've dealt with in generating a key pair before is selecting the DSA or
RSA option. Our PGP version doesn't offer the DSA and Elgamal option.
I've sent him a GnuPG-generated key, and asked him to find out if they
are using GnuPG. I haven't heard from him today.
Cathy
---
Cathy L. Smith
Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith at pnl.gov
-----Original Message-----
From: Robert J. Hansen [mailto:rjh at sixdemonbag.org]
Sent: Friday, May 01, 2009 3:58 PM
To: Smith, Cathy
Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr
Subject: Re: Selecting cipher to generate a key pair
Smith, Cathy wrote:
> Is there a brief explanation available as to how the cipher is used in
> generating the private/public keys? It seems this is separate from
> the cipher that is chosen to encrypt my data.
rjh at chronicles:~$ gpg --enable-dsa2 --gen-key Please select what kind of
key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
If you choose #1, you will be using, by default, DSA as a signature
algorithm, AES256 as a general-purpose message encryption algorithm,
Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash
algorithm.
None of these algorithms are actually used to generate the
private/public keys, though. The private and public keys are just
numbers. GnuPG generates those numbers from a cryptographically secure
pseudorandom number generator, then subjects the numbers to a battery of
mathematical tests to make sure the keys are safe to use.
Is it possible for you to tell us what algorithms your correspondent
expects you to use? Knowing that might help us out quite a bit.
From rjh at sixdemonbag.org Sat May 2 01:21:40 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 01 May 2009 19:21:40 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com>
<49FA76FD.4040501@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
<49FB7E5E.9060101@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov>
Message-ID: <49FB8404.7000600@sixdemonbag.org>
Smith, Cathy wrote:
> The customer stated that he can accept a public key generated with
> either Blowfish or Triple-DES. I wasn't sure what he needed because all
> I've dealt with in generating a key pair before is selecting the DSA or
> RSA option. Our PGP version doesn't offer the DSA and Elgamal option.
It probably does, actually; PGP just, for marketing reasons, calls it
Diffie-Hellman/DSS. (Long story, but yes, they're the exact same thing.)
That said, your customer does not appear to understand how GnuPG or PGP
work. _All_ OpenPGP-conformant applications (GnuPG, PGP, and others)
can handle 3DES; and 3DES has absolutely nothing to do with how you
generate your public key.
From cathy.smith at pnl.gov Sat May 2 01:31:10 2009
From: cathy.smith at pnl.gov (Smith, Cathy)
Date: Fri, 1 May 2009 16:31:10 -0700
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FB8404.7000600@sixdemonbag.org>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com>
<49FA76FD.4040501@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
<49FB7E5E.9060101@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov>
<49FB8404.7000600@sixdemonbag.org>
Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov>
I agree that with the lack of understanding. It's been difficult to get
specific information from the customer. I don't have the option of
saying it's their problem. The GnuPG was a guess after I read something
about specifying the cipher algorithm.
The customer said they have a proprietary implementation that only
supports Blowfish or 3DES for the key. I'm still trying to find out
exactly what that means. I've talked to the folks here at work who
understand these things better than I, and all have shook their head.
I appreciate your assistance.
Cathy
---
Cathy L. Smith
Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith at pnl.gov
-----Original Message-----
From: Robert J. Hansen [mailto:rjh at sixdemonbag.org]
Sent: Friday, May 01, 2009 4:22 PM
To: Smith, Cathy
Cc: Allen Schultz; gnupg-users
Subject: Re: Selecting cipher to generate a key pair
Smith, Cathy wrote:
> The customer stated that he can accept a public key generated with
> either Blowfish or Triple-DES. I wasn't sure what he needed because
> all I've dealt with in generating a key pair before is selecting the
> DSA or RSA option. Our PGP version doesn't offer the DSA and Elgamal
option.
It probably does, actually; PGP just, for marketing reasons, calls it
Diffie-Hellman/DSS. (Long story, but yes, they're the exact same
thing.)
That said, your customer does not appear to understand how GnuPG or PGP
work. _All_ OpenPGP-conformant applications (GnuPG, PGP, and others)
can handle 3DES; and 3DES has absolutely nothing to do with how you
generate your public key.
From rjh at sixdemonbag.org Sat May 2 01:39:19 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 01 May 2009 19:39:19 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com>
<49FA76FD.4040501@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
<49FB7E5E.9060101@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov>
<49FB8404.7000600@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov>
Message-ID: <49FB8827.1070102@sixdemonbag.org>
Smith, Cathy wrote:
> The customer said they have a proprietary implementation that only
> supports Blowfish or 3DES for the key. I'm still trying to find out
> exactly what that means.
Okay, that much makes sense now.
I would suggest adding:
cipher-algo 3DES
... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and
not one I'd generally recommend; however, the downsides are pretty
minimal. Then encrypt a message using their public key and send it on
to them. If they can read it, great. If they can't, then the problem
is their proprietary implementation of OpenPGP is shoddy.
Incidentally, if your customer is a telecommunications firm, I think I
may know the implementation they're using and some of its more egregious
misfeatures. Other than that one and PGP Corporation's offering,
though, I have no experience with proprietary OpenPGP offerings.
From cathy.smith at pnl.gov Sat May 2 01:41:03 2009
From: cathy.smith at pnl.gov (Smith, Cathy)
Date: Fri, 1 May 2009 16:41:03 -0700
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FB8827.1070102@sixdemonbag.org>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com>
<49FA76FD.4040501@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
<49FB7E5E.9060101@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov>
<49FB8404.7000600@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov>
<49FB8827.1070102@sixdemonbag.org>
Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA57@EMAIL03.pnl.gov>
Thanks. I'll try that.
Cathy
---
Cathy L. Smith
Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith at pnl.gov
-----Original Message-----
From: Robert J. Hansen [mailto:rjh at sixdemonbag.org]
Sent: Friday, May 01, 2009 4:39 PM
To: Smith, Cathy
Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr
Subject: Re: Selecting cipher to generate a key pair
Smith, Cathy wrote:
> The customer said they have a proprietary implementation that only
> supports Blowfish or 3DES for the key. I'm still trying to find out
> exactly what that means.
Okay, that much makes sense now.
I would suggest adding:
cipher-algo 3DES
... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and
not one I'd generally recommend; however, the downsides are pretty
minimal. Then encrypt a message using their public key and send it on
to them. If they can read it, great. If they can't, then the problem
is their proprietary implementation of OpenPGP is shoddy.
Incidentally, if your customer is a telecommunications firm, I think I
may know the implementation they're using and some of its more egregious
misfeatures. Other than that one and PGP Corporation's offering,
though, I have no experience with proprietary OpenPGP offerings.
From jmoore3rd at bellsouth.net Sat May 2 01:49:22 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Fri, 01 May 2009 19:49:22 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FB8827.1070102@sixdemonbag.org>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov>
<49FB8827.1070102@sixdemonbag.org>
Message-ID: <49FB8A82.4010609@bellsouth.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Robert J. Hansen wrote:
> Smith, Cathy wrote:
>> The customer said they have a proprietary implementation that only
>> supports Blowfish or 3DES for the key. I'm still trying to find out
>> exactly what that means.
>
> Okay, that much makes sense now.
>
> I would suggest adding:
>
> cipher-algo 3DES
>
> ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and
> not one I'd generally recommend; however, the downsides are pretty
> minimal. Then encrypt a message using their public key and send it on
> to them. If they can read it, great. If they can't, then the problem
> is their proprietary implementation of OpenPGP is shoddy.
Riddle Me this, Robert; _if_ "The Customer" has a requirement that 3DES
must be used [and they are associating it with their Key] then wouldn't
this mean that the *only* preference broadcast by their Key is 3DES? If
this is the case then wouldn't GPG automatically select this cipher
algorithm by default as the only compatible one between the two parties?
:-\
JOHN ;)
Timestamp: Friday 01 May 2009, 19:49 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4987: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx
iQEcBAEBCgAGBQJJ+4qAAAoJEBCGy9eAtCsP3o8H/ja6jCWz1bYjjTNXbhLzd5OE
BIgvdlCCsR0Nrm4VY5jGXiOPbk9NYse/43F/DZyQQyyowuRBj3whtpUx6Ueacy+o
u5R6skOdk5AG+HKPVwQ4Zgb4LZhl1Fu4VxOOxWXSW01MnJoxVdtwpj5ylZU5vC7C
EtytAK4HOh1DuQLQYLICupYXhK4TvnbeDRR9s2n6s9n+q1JXFpOEIk5w5d1iJfOk
vn2p8TQ9PrTkMFxweA9gbNoTesH9U5tqmXockb1Mp6JoUz1n56pPWLCyWMxub6f2
GyQNc17RZ/J5qwiY+qK+Mf1L1ONJO3y2zCJfJQxqL0MpODaZFYiOyr3Ws9tVafU=
=A7I6
-----END PGP SIGNATURE-----
From rjh at sixdemonbag.org Sat May 2 01:59:22 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 01 May 2009 19:59:22 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FB8A82.4010609@bellsouth.net>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> <49FB8827.1070102@sixdemonbag.org>
<49FB8A82.4010609@bellsouth.net>
Message-ID: <49FB8CDA.2070306@sixdemonbag.org>
John W. Moore III wrote:
> Riddle Me this, Robert; _if_ "The Customer" has a requirement that
> 3DES must be used [and they are associating it with their Key] then
> wouldn't this mean that the *only* preference broadcast by their Key
> is 3DES?
You're assuming the customer's key is correctly advertising their
preferences. If their proprietary implemention is a shoddy one, then
maybe it advertises capabilities they don't really have.
> If this is the case then wouldn't GPG automatically select this
> cipher algorithm by default as the only compatible one between the
> two parties?
You'd hope so, yes -- but I think we might want to consider the
possibility the customer's implementation is terribly broken.
From faramir.cl at gmail.com Sat May 2 02:34:50 2009
From: faramir.cl at gmail.com (Faramir)
Date: Fri, 01 May 2009 20:34:50 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FB8A82.4010609@bellsouth.net>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> <49FB8827.1070102@sixdemonbag.org>
<49FB8A82.4010609@bellsouth.net>
Message-ID: <49FB952A.8050408@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
John W. Moore III escribi?:
...
> Riddle Me this, Robert; _if_ "The Customer" has a requirement that 3DES
> must be used [and they are associating it with their Key] then wouldn't
> this mean that the *only* preference broadcast by their Key is 3DES? If
> this is the case then wouldn't GPG automatically select this cipher
> algorithm by default as the only compatible one between the two parties?
Yes, I was thinking the same thing... But don't forget the customer
can handle Blowfish too (but GPG can handle it too, so the question
remains the same).
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJJ+5UqAAoJEMV4f6PvczxAjCsH/RhAjA+2N62EnIetXz2PXQoS
dOxLLIVmOB0eDKdm/E2lP2rb5Wtn2T6AESyDjlgNS+YviUeiMdmmN7uwaiEkmr0d
RFBlqnTrs3OwlGzgR4mP9hx6MHQZo7+7rb1/9BwxWv9oOrD6Zelts5MbKHvn1DnW
JPFi+lLP8CenkvDsB6XThv5tCavNXaVGFnE6gC2tUqmhQsCNqo5MB0LAPiNjpmPw
hSybaPXEOboD3zZrVX1Wyl0+oZ8r1Q/DHrn6mSfoo14KmxVujoKcPxwyw1i0cNEN
+59G0RlRmDsyNtDRy0Z8k29sgDNyRZGgqOKoI7mJ2HKkWQcOsvW4RPsLpnCj5T4=
=ekv7
-----END PGP SIGNATURE-----
From faramir.cl at gmail.com Sat May 2 02:31:27 2009
From: faramir.cl at gmail.com (Faramir)
Date: Fri, 01 May 2009 20:31:27 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FB8827.1070102@sixdemonbag.org>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov>
<49FB8827.1070102@sixdemonbag.org>
Message-ID: <49FB945F.2010704@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Robert J. Hansen escribi?:
> Smith, Cathy wrote:
>> The customer said they have a proprietary implementation that only
>> supports Blowfish or 3DES for the key. I'm still trying to find out
>> exactly what that means.
>
> Okay, that much makes sense now.
>
> I would suggest adding:
>
> cipher-algo 3DES
But... isn't GPG expected to recognise the preferences (or
capabilities) in the customer's key and use the right algo automatically?
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJJ+5RfAAoJEMV4f6PvczxAWw8IAJ5sC1DHLeG+AujAPlCw2OUV
LhsgMuPpA/fc5A4UpA4fuZMAWdKYS/xhFiJ8c/aLTJrK3CToCXaR9NVdJLMzNNaq
cRISV2Qfe8HVxVttVyk2pDIUHFxt6yIvAn8BomC6MDu2Mo/VUwm9WcUfdR4nsspI
jetzKZmxKLpckpoOCTW7IHNpD83LGsyksPI5hJq5AMHfcHIWGelTYGeyeFnUdQaN
o9c42ibDx/GjInzRWxt+9JtY9wqGzLfHopdDvxTPGpm9r+PnZ/qxJeIdGB7UJjcj
JvC/c7QSLQ8CvAbuPGYl6c7ZaM6/IsZKeBifxkZwaxfr/epkWqDBvcK3KUZLe38=
=XEB/
-----END PGP SIGNATURE-----
From faramir.cl at gmail.com Sat May 2 02:36:54 2009
From: faramir.cl at gmail.com (Faramir)
Date: Fri, 01 May 2009 20:36:54 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FB8CDA.2070306@sixdemonbag.org>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> <49FB8827.1070102@sixdemonbag.org> <49FB8A82.4010609@bellsouth.net>
<49FB8CDA.2070306@sixdemonbag.org>
Message-ID: <49FB95A6.1050704@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Robert J. Hansen escribi?:
> John W. Moore III wrote:
>> Riddle Me this, Robert; _if_ "The Customer" has a requirement that
>> 3DES must be used [and they are associating it with their Key] then
>> wouldn't this mean that the *only* preference broadcast by their Key
>> is 3DES?
>
> You're assuming the customer's key is correctly advertising their
> preferences. If their proprietary implemention is a shoddy one, then
> maybe it advertises capabilities they don't really have.
Ahh... Ok, that explains it. Is it possible to change the preferences
(edit the public key) without having the private key? Or maybe to set a
rule somewhere to force gpg to use Blowfish or 3DES, but just for that
specific customer?
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJJ+5WmAAoJEMV4f6PvczxAuskH/iM7aDpvm5ijLT/HPKpdQheO
lJdXl5LOe20uWQDYg3enkFGtOBsaAq9z2kvvmQfV2aSpll90M3QBTjk7hPk1iQfp
FqkZe/G6L2ato7QbO+hb4yrQXhjJrgUI52CH5LAr1BjaOauVJO7TTLwHzxIg37c9
R6ojXoZitwjLo5kKvWHewg+WGaBCjZIfx6oPaLLSG2Ehw2cyGtl2NwPX5t7mlakW
A6CYL5mZ4XtyDw5D/jbFpddQl3Y8LDeliw9li52C5E1K1hOgjdtwUL/UXDJ6CiKS
8iVbwqXmp384tVTqZHsWpgpx56/dsovErmUVkd9jZbfeOjLnlBsdkDG79E/YUzg=
=7mDX
-----END PGP SIGNATURE-----
From subs at christiantena.net Fri May 1 23:53:06 2009
From: subs at christiantena.net (Philip)
Date: Fri, 01 May 2009 22:53:06 +0100
Subject: questions: no input file, and pascal programming
Message-ID: <49FB6F42.5000804@christiantena.net>
Hi
I have some questions about gpg
1. using gpg command line, can I pass data to be encrypted to gpg that
isn't in a file? For example if I want to encrypt "Mary had a little
lamb" to a an asc file but I don't want to put that text onto the hard
drive unencrypted first.
2. is there something like gpgme that can be used easily for pascal
programmers?
Personally I use freepascal and I just want to be able to select a key,
encrypt and decrypt from within my program.
If anyone knows of any opensource pascal programs that use gnupg it
would be appreciated.
thanks, Philip
From John at Mozilla-Enigmail.org Sat May 2 03:52:56 2009
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Fri, 01 May 2009 20:52:56 -0500
Subject: questions: no input file, and pascal programming
In-Reply-To: <49FB6F42.5000804@christiantena.net>
References: <49FB6F42.5000804@christiantena.net>
Message-ID: <49FBA778.5010304@Mozilla-Enigmail.org>
Philip wrote:
> Hi
> I have some questions about gpg
> 1. using gpg command line, can I pass data to be encrypted to gpg that
> isn't in a file? For example if I want to encrypt "Mary had a little
> lamb" to a an asc file but I don't want to put that text onto the hard
> drive unencrypted first.
gpg will behave as a pipe or if given no input, quietly wait for you to
type something in.
> 2. is there something like gpgme that can be used easily for pascal
> programmers?
> Personally I use freepascal and I just want to be able to select a key,
> encrypt and decrypt from within my program.
> If anyone knows of any opensource pascal programs that use gnupg it
> would be appreciated.
Pascal bindings should exist for the current gpgme, I've just not found
them.
I've worked with one pascal program that used gpgme bindings but it was
code before gpgme API changed. I'd love to find updated bindings and
save myself the effort of updating the old ones
--
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 678 bytes
Desc: OpenPGP digital signature
URL:
From webmaster at felipe1982.com Sat May 2 09:06:13 2009
From: webmaster at felipe1982.com (Felipe Alvarez)
Date: Sat, 2 May 2009 17:06:13 +1000
Subject: gnupg 1.2.6
Message-ID: <200905021706.22037.webmaster@felipe1982.com>
My web host has gnupg 1.2.6 on their machines. I often SSH into it when
I am not at home on my gnulinux box. Anything I should be concerned
about when using this version? the two key pairs I made (DSS signing,
ELG encryption) were made on gnupg 2.0.9, and transfered (and
imported) to this host via SSH.
Felipe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 258 bytes
Desc: This is a digitally signed message part.
URL:
From subs at christiantena.net Sat May 2 09:35:08 2009
From: subs at christiantena.net (Philip)
Date: Sat, 02 May 2009 08:35:08 +0100
Subject: questions: no input file, and pascal programming
In-Reply-To: <49FBA778.5010304@Mozilla-Enigmail.org>
References: <49FB6F42.5000804@christiantena.net>
<49FBA778.5010304@Mozilla-Enigmail.org>
Message-ID: <49FBF7AC.8090705@christiantena.net>
I found that if I just type "gpg" I get this
"gpg: Go ahead and type your message ..." which looks promising but I
can't find any documentation on how to use it.
Also this works in linux
"echo Mary had a little lamb|gpg --yes -eat -o test.txt.gpg -r [keyid]"
but I don't know how to do something similar in dos/windows
thanks, Philip
John Clizbe wrote:
> Philip wrote:
>> Hi
>> I have some questions about gpg
>> 1. using gpg command line, can I pass data to be encrypted to gpg that
>> isn't in a file? For example if I want to encrypt "Mary had a little
>> lamb" to a an asc file but I don't want to put that text onto the hard
>> drive unencrypted first.
>
> gpg will behave as a pipe or if given no input, quietly wait for you to
> type something in.
>
>> 2. is there something like gpgme that can be used easily for pascal
>> programmers?
>> Personally I use freepascal and I just want to be able to select a key,
>> encrypt and decrypt from within my program.
>> If anyone knows of any opensource pascal programs that use gnupg it
>> would be appreciated.
>
> Pascal bindings should exist for the current gpgme, I've just not found
> them.
>
> I've worked with one pascal program that used gpgme bindings but it was
> code before gpgme API changed. I'd love to find updated bindings and
> save myself the effort of updating the old ones
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
From simon at ruderich.org Sat May 2 12:25:45 2009
From: simon at ruderich.org (Simon Ruderich)
Date: Sat, 2 May 2009 12:25:45 +0200
Subject: Use other hash than SHA-1
Message-ID: <20090502102545.GA17546@ruderich.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I would like to use a different hash than SHA-1. I tried setting
personal-digest-preferences SHA256 in my gpg.conf but it didn't
work. What hash can I use with my key (default DSA/Elgamel key)
and how?
Thanks for your help,
Simon
- --
+ privacy is necessary
+ using http://gnupg.org
+ public key id: 0x6115F804EFB33229
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkn8H6kACgkQYRX4BO+zMili5wCeIYIIOru6ZEq+0F+9vzVqE1mo
axcAnRh+5fFnzzXWpvZvWVLO5dYf+j5E
=wUa4
-----END PGP SIGNATURE-----
From david250 at videotron.ca Sat May 2 12:01:51 2009
From: david250 at videotron.ca (David Bernier)
Date: Sat, 02 May 2009 06:01:51 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FB7E5E.9060101@sixdemonbag.org>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com>
<49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
<49FB7E5E.9060101@sixdemonbag.org>
Message-ID: <49FC1A0F.6020401@videotron.ca>
Dear Robert J. Hansen,
Robert J. Hansen wrote:
> Smith, Cathy wrote:
>
>> Is there a brief explanation available as to how the cipher is used in
>> generating the private/public keys? It seems this is separate from the
>> cipher that is chosen to encrypt my data.
>>
>
>
> rjh at chronicles:~$ gpg --enable-dsa2 --gen-key
> Please select what kind of key you want:
> (1) DSA and Elgamal (default)
> (2) DSA (sign only)
> (5) RSA (sign only)
>
>
> If you choose #1, you will be using, by default, DSA as a signature
> algorithm, AES256 as a general-purpose message encryption algorithm,
> Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm.
>
> None of these algorithms are actually used to generate the
> private/public keys, though. The private and public keys are just
> numbers. GnuPG generates those numbers from a cryptographically secure
> pseudorandom number generator, then subjects the numbers to a battery of
> mathematical tests to make sure the keys are safe to use.
>
> Is it possible for you to tell us what algorithms your correspondent
> expects you to use? Knowing that might help us out quite a bit.
>
I'd like to know more about the process by which unsigned packages become
signed packages. This matters, I think, when using SELinux, which is what
I do.
Some packages are unsigned, e.g. Xcas, a computer algebra system by
Bernard Parisse at a university in France:
< http://www-fourier.ujf-grenoble.fr/~parisse/english.html >
I had to tell the SELinux motor that she must trust two modules loaded
dynamically
when Xcas is launched. I succeeded after many hours.
It would be easier, I think, if Xcas (the application) had a electronic
signature by someone that Fedora 10 trusts ...
Thanks a lot,
David Bernier
From hs2412 at gmail.com Sat May 2 12:51:54 2009
From: hs2412 at gmail.com (Hardeep Singh)
Date: Sat, 2 May 2009 16:21:54 +0530
Subject: questions: no input file, and pascal programming
In-Reply-To: <49FBF7AC.8090705@christiantena.net>
References: <49FB6F42.5000804@christiantena.net>
<49FBA778.5010304@Mozilla-Enigmail.org>
<49FBF7AC.8090705@christiantena.net>
Message-ID:
The same can be done in Windows.
Visit http://blog.hardeep.name/computer/20080828/linux-shell-on-windows/
this will give you the shell and the Echo commands that you need.
Hardeep Singh
http://blog.Hardeep.name
On Sat, May 2, 2009 at 1:05 PM, Philip wrote:
> I found that if I just type "gpg" I get this
> "gpg: Go ahead and type your message ..." which looks promising but I
> can't find any documentation on how to use it.
>
> Also this works in linux
> "echo Mary had a little lamb|gpg --yes -eat -o test.txt.gpg -r [keyid]"
>
> but I don't know how to do something similar in dos/windows
>
> thanks, Philip
>
> John Clizbe wrote:
>> Philip wrote:
>>> Hi
>>> I have some questions about gpg
>>> 1. using gpg command line, can I pass data to be encrypted to gpg that
>>> isn't in a file? For example if I want to encrypt "Mary had a little
>>> lamb" to a an asc file but I don't want to put that text onto the hard
>>> drive unencrypted first.
>>
>> gpg will behave as a pipe or if given no input, quietly wait for you to
>> type something in.
>>
>>> 2. is there something like gpgme that can be used easily for pascal
>>> programmers?
>>> Personally I use freepascal and I just want to be able to select a key,
>>> encrypt and decrypt from within my program.
>>> If anyone knows of any opensource pascal programs that use gnupg it
>>> would be appreciated.
>>
>> Pascal bindings should exist for the current gpgme, I've just not found
>> them.
>>
>> I've worked with one pascal program that used gpgme bindings but it was
>> code before gpgme API changed. I'd love to find updated bindings and
>> save myself the effort of updating the old ones
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From jmoore3rd at bellsouth.net Sat May 2 14:11:46 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Sat, 02 May 2009 08:11:46 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <20090502102545.GA17546@ruderich.org>
References: <20090502102545.GA17546@ruderich.org>
Message-ID: <49FC3882.50006@bellsouth.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Simon Ruderich wrote:
> I would like to use a different hash than SHA-1. I tried setting
> personal-digest-preferences SHA256 in my gpg.conf but it didn't
> work. What hash can I use with my key (default DSA/Elgamel key)
> and how?
Which version of GnuPG are You using & is it DSA2 compatible?
Try using the gpg.conf entry
digest-algo SHA256
JOHN ;)
Timestamp: Saturday 02 May 2009, 08:11 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4987: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx
iQEcBAEBCgAGBQJJ/Dh/AAoJEBCGy9eAtCsPt20IAIMlEK5VhAwkgkxakM4c1B31
Ienm5Verbm6N6QQ0BOoZ+ac6oZq9z3Aflt9FY2FIXKQzDJ/B9Y1Aur59HemL6E3A
+dNr3iLJy3dVz5A6F2l+ZGIPX2r+Vnz5iK0dkmlIf+0eVNDG16VWK1wPFcr3O32c
8qDACPgIGZ0zTpQyl3YsMMcPnIfLaRgpHN1LCPMwHdMgnrJbwpRrHCL2mozDz4zo
lMn9doPwN5c12HY2xQvfD+/y25VmAb3ZpxbJRfj7efllTZne96aoGGSpYqcrD7lX
OYEceo/qA0RPQp+Fe/o2p3QKQAlhke4KAatLngREjkJKmBdjEAmrwTzPPQWh06c=
=nHuP
-----END PGP SIGNATURE-----
From subs at christiantena.net Sat May 2 14:28:31 2009
From: subs at christiantena.net (Philip)
Date: Sat, 02 May 2009 13:28:31 +0100
Subject: questions: no input file, and pascal programming
In-Reply-To:
References: <49FB6F42.5000804@christiantena.net>
<49FBA778.5010304@Mozilla-Enigmail.org>
<49FBF7AC.8090705@christiantena.net>
Message-ID: <49FC3C6F.6040205@christiantena.net>
I got it to work in Windows.
With a default install of gpg4win gpg is not in the path, but this
command works
echo Mary had a little lamb|"c:\Program Files\GNU\GnuPG\gpg.exe" --yes
-eat -o test.txt.gpg -r [keyid]
I'm thinking that it might be easier for a pascal programmer to
interface with gpg on command line than to figure out how to compile
against gpgme c code, even if it isn't probably the right way to do it.
thanks, Philip
Hardeep Singh wrote:
> The same can be done in Windows.
> Visit http://blog.hardeep.name/computer/20080828/linux-shell-on-windows/
> this will give you the shell and the Echo commands that you need.
>
> Hardeep Singh
> http://blog.Hardeep.name
>
>
>
> On Sat, May 2, 2009 at 1:05 PM, Philip wrote:
>> I found that if I just type "gpg" I get this
>> "gpg: Go ahead and type your message ..." which looks promising but I
>> can't find any documentation on how to use it.
>>
>> Also this works in linux
>> "echo Mary had a little lamb|gpg --yes -eat -o test.txt.gpg -r [keyid]"
>>
>> but I don't know how to do something similar in dos/windows
>>
>> thanks, Philip
>>
>> John Clizbe wrote:
>>> Philip wrote:
>>>> Hi
>>>> I have some questions about gpg
>>>> 1. using gpg command line, can I pass data to be encrypted to gpg that
>>>> isn't in a file? For example if I want to encrypt "Mary had a little
>>>> lamb" to a an asc file but I don't want to put that text onto the hard
>>>> drive unencrypted first.
>>> gpg will behave as a pipe or if given no input, quietly wait for you to
>>> type something in.
>>>
>>>> 2. is there something like gpgme that can be used easily for pascal
>>>> programmers?
>>>> Personally I use freepascal and I just want to be able to select a key,
>>>> encrypt and decrypt from within my program.
>>>> If anyone knows of any opensource pascal programs that use gnupg it
>>>> would be appreciated.
>>> Pascal bindings should exist for the current gpgme, I've just not found
>>> them.
>>>
>>> I've worked with one pascal program that used gpgme bindings but it was
>>> code before gpgme API changed. I'd love to find updated bindings and
>>> save myself the effort of updating the old ones
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users at gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
From mail at 404not-found.de Sat May 2 14:56:01 2009
From: mail at 404not-found.de (Raimar Sandner)
Date: Sat, 2 May 2009 14:56:01 +0200
Subject: Use other hash than SHA-1
In-Reply-To: <49FC3882.50006@bellsouth.net>
References: <20090502102545.GA17546@ruderich.org>
<49FC3882.50006@bellsouth.net>
Message-ID: <200905021456.15789.mail@404not-found.de>
On Saturday 02 May 2009 14:11:46 John W. Moore III wrote:
> Simon Ruderich wrote:
> > I would like to use a different hash than SHA-1. I tried setting
> > personal-digest-preferences SHA256 in my gpg.conf but it didn't
> > work. What hash can I use with my key (default DSA/Elgamel key)
> > and how?
>
> Which version of GnuPG are You using & is it DSA2 compatible?
>
> Try using the gpg.conf entry
>
> digest-algo SHA256
Well, setting digest-algo works, but this will always use SHA256 even if the
recipient doesn't have this algo in his digest list, and thus could create a
non-openpgp compliant message.
So setting personal-digest-preferences would be the better choice. But Simon
is right, this seems to be ignored, even if I set the --recipient to someone
who has SHA256 in his digest list.
Maybe I have the options still wrong? I tried
gpg --recipient --personal-digest-preferences=SHA256 --sign --encrypt
I'm using gpg 2.0.11.
Raimar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From dshaw at jabberwocky.com Sat May 2 15:45:11 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat, 2 May 2009 09:45:11 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <20090502102545.GA17546@ruderich.org>
References: <20090502102545.GA17546@ruderich.org>
Message-ID: <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
> I would like to use a different hash than SHA-1. I tried setting
> personal-digest-preferences SHA256 in my gpg.conf but it didn't
> work. What hash can I use with my key (default DSA/Elgamel key)
> and how?
The short answer is that you can only use a 160-bit hash with your
default DSA key. That means SHA-1 or RIPEMD/160. There is a feature
you can enable (--enable-dsa2) that will allow you to use a bigger
hash -- but you can still only use 160 bits worth of it. So if you
use SHA-256, you're actually only taking 160 bits worth of it and
discarding the rest.
To truly use all of a larger hash, you need to either use a RSA key or
a large (not default) DSA key (i.e. generated with --enable-dsa2
switched on, and a larger size than 1024 bits selected).
David
From mail at 404not-found.de Sat May 2 16:47:07 2009
From: mail at 404not-found.de (Raimar Sandner)
Date: Sat, 2 May 2009 16:47:07 +0200
Subject: Use other hash than SHA-1
In-Reply-To: <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
Message-ID: <200905021647.11645.mail@404not-found.de>
On Saturday 02 May 2009 15:45:11 David Shaw wrote:
> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
> > I would like to use a different hash than SHA-1. I tried setting
> > personal-digest-preferences SHA256 in my gpg.conf but it didn't
> > work. What hash can I use with my key (default DSA/Elgamel key)
> > and how?
>
> The short answer is that you can only use a 160-bit hash with your
> default DSA key. That means SHA-1 or RIPEMD/160. There is a feature
> you can enable (--enable-dsa2) that will allow you to use a bigger
> hash -- but you can still only use 160 bits worth of it. So if you
> use SHA-256, you're actually only taking 160 bits worth of it and
> discarding the rest.
>
> To truly use all of a larger hash, you need to either use a RSA key or
> a large (not default) DSA key (i.e. generated with --enable-dsa2
> switched on, and a larger size than 1024 bits selected).
SHA256 is included in the default pref list even for a regular DSA key. Is
that because my own key is not involved when verifying a signature, and gnupg
could verify a SHA256 hash created by someone with a RSA or DSA2 key?
Is it therefore reasonable to have SHA256 in first place of the key
preferences, even for a regular DSA key?
Raimar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From rjh at sixdemonbag.org Sat May 2 17:42:16 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 02 May 2009 11:42:16 -0400
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FC1A0F.6020401@videotron.ca>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com>
<49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
<49FB7E5E.9060101@sixdemonbag.org> <49FC1A0F.6020401@videotron.ca>
Message-ID: <49FC69D8.1090903@sixdemonbag.org>
David Bernier wrote:
> I'd like to know more about the process by which unsigned packages become
> signed packages. This matters, I think, when using SELinux, which is what
> I do.
This process will vary from operating system to operating system. What
works for Fedora isn't the same as what works for Ubuntu isn't the same
as what works for FreeBSD isn't the same as what works for Windows.
I don't know how Fedora works, so I'm not able to answer this question.
I would suggest asking on a Fedora mailing list.
From dshaw at jabberwocky.com Sat May 2 21:14:50 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat, 2 May 2009 15:14:50 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <200905021647.11645.mail@404not-found.de>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<200905021647.11645.mail@404not-found.de>
Message-ID: <1BA8D025-7D8F-4456-A925-96EFA0201F4D@jabberwocky.com>
On May 2, 2009, at 10:47 AM, Raimar Sandner wrote:
> On Saturday 02 May 2009 15:45:11 David Shaw wrote:
>> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
>>> I would like to use a different hash than SHA-1. I tried setting
>>> personal-digest-preferences SHA256 in my gpg.conf but it didn't
>>> work. What hash can I use with my key (default DSA/Elgamel key)
>>> and how?
>>
>> The short answer is that you can only use a 160-bit hash with your
>> default DSA key. That means SHA-1 or RIPEMD/160. There is a feature
>> you can enable (--enable-dsa2) that will allow you to use a bigger
>> hash -- but you can still only use 160 bits worth of it. So if you
>> use SHA-256, you're actually only taking 160 bits worth of it and
>> discarding the rest.
>>
>> To truly use all of a larger hash, you need to either use a RSA key
>> or
>> a large (not default) DSA key (i.e. generated with --enable-dsa2
>> switched on, and a larger size than 1024 bits selected).
>
> SHA256 is included in the default pref list even for a regular DSA
> key. Is
> that because my own key is not involved when verifying a signature,
> and gnupg
> could verify a SHA256 hash created by someone with a RSA or DSA2 key?
Yes.
> Is it therefore reasonable to have SHA256 in first place of the key
> preferences, even for a regular DSA key?
Yes. (You can place it anywhere you like, depending on how highly you
rank it).
David
From faramir.cl at gmail.com Sat May 2 21:28:33 2009
From: faramir.cl at gmail.com (Faramir)
Date: Sat, 02 May 2009 15:28:33 -0400
Subject: questions: no input file, and pascal programming
In-Reply-To: <49FC3C6F.6040205@christiantena.net>
References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net>
<49FC3C6F.6040205@christiantena.net>
Message-ID: <49FC9EE1.6020108@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Philip escribi?:
> I got it to work in Windows.
> With a default install of gpg4win gpg is not in the path, but this
> command works
> echo Mary had a little lamb|"c:\Program Files\GNU\GnuPG\gpg.exe" --yes
> -eat -o test.txt.gpg -r [keyid]
I disagree, the installer of gpg4win automatically adds gpg to path
global environment variable. It's the installer of gpg 1.4.9 the one
that doesn't do it.
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJJ/J7hAAoJEMV4f6PvczxAliYH/0FVS4RhQD9fibosJgpTbnKw
cesj4nVKPbYRgXn5KxoCX6xiUAJ3cZHLaSDh56H8S2Lt7hY2V3/0KEeX1oG5+mXf
t/b9Ze6TfQ+Ke5sXfcAFgkH0j1Jbufr0yGVODAGPI/vqSz7njRkQRhIiZDIW4qkt
1KU7ejoLZIdNVMuwCTbYhnqrt2/JVDtQ0LDQk517gYPI6zsdFyJlDLIdSev3lz/V
7Zi7hbaECCNapp2SjtTz84Ok8jS/WNhYZAeAsufySnCIV8WMRfQLNN7SqWn7vacO
azRfR4jZHLjkhOhTWd5TnU4L1iHk0FJjEhsYdFc+rqlThmtMts2yTSmudru4OKk=
=3Thc
-----END PGP SIGNATURE-----
From allen.schultz at gmail.com Sat May 2 21:46:14 2009
From: allen.schultz at gmail.com (Allen Schultz)
Date: Sat, 2 May 2009 13:46:14 -0600
Subject: Use other hash than SHA-1
In-Reply-To: <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
Message-ID: <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, May 2, 2009 at 7:45 AM, David Shaw
wrote:
> The short answer is that you can only use a 160-bit hash with
your default
> DSA key. That means SHA-1 or RIPEMD/160. There is a feature
you can enable
> (--enable-dsa2) that will allow you to use a bigger hash --
but you can
> still only use 160 bits worth of it. So if you use SHA-256,
you're actually
> only taking 160 bits worth of it and discarding the rest.
I'm stuck with that smaller key until I change the subkeys, but
a question about the two hashes. What's the difference in SHA-1
and RIPEMD/160?
Allen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72
iEYEARECAAYFAkn8owIACgkQV5r3Eu55xjZv0QCfTYZAarjQZlpt3Fo+QLkjXiw7
JIYAn0tJf2SEMR/fCquHzj8+FS1GqY5g
=QkRh
-----END PGP SIGNATURE-----
From faramir.cl at gmail.com Sat May 2 22:02:44 2009
From: faramir.cl at gmail.com (Faramir)
Date: Sat, 02 May 2009 16:02:44 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com>
References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com>
Message-ID: <49FCA6E4.4060309@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Allen Schultz escribi?:
> I'm stuck with that smaller key until I change the subkeys, but
> a question about the two hashes. What's the difference in SHA-1
> and RIPEMD/160?
Take a look at: http://en.wikipedia.org/wiki/RIPEMD
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJJ/KbjAAoJEMV4f6PvczxA7+QH/Rtrl2545r+M90E5k3ql/kKg
p0Qyt9rX+/DlLtvq9qmz414SwRfRc/SBLBzx5KTNKn/LsK9p4uB3cg6NuPAaY1hd
x2LzG9jLLF9luSxingpbrVQJyhi7v8UgRNU7Jo+4yYbpIwnh2AxdZIe6YQhB7m2K
zXotCOtQ++SEDHeFpSf5OliythLwCyrdFr8lhOy4tB60XM602KMxm7jARH0izKA1
Dg3QunHayBt71FqpFCT+yfDbvLtLuz3lVodp8/dB8mnHIlV2RIxGcYLuwtp9kLNU
U0cGXNfAfSYBxnQjCpYEKSmqWLXlhFZJ0hIzRzHDF0PqTDGh6MLn5dTZTWiQzM0=
=o8tN
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Sat May 2 22:38:51 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat, 2 May 2009 16:38:51 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com>
Message-ID:
On May 2, 2009, at 3:46 PM, Allen Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, May 2, 2009 at 7:45 AM, David Shaw
> wrote:
>> The short answer is that you can only use a 160-bit hash with
> your default
>> DSA key. That means SHA-1 or RIPEMD/160. There is a feature
> you can enable
>> (--enable-dsa2) that will allow you to use a bigger hash --
> but you can
>> still only use 160 bits worth of it. So if you use SHA-256,
> you're actually
>> only taking 160 bits worth of it and discarding the rest.
>
> I'm stuck with that smaller key until I change the subkeys, but
> a question about the two hashes. What's the difference in SHA-1
> and RIPEMD/160?
They're different algorithms that have the same hash size (160 bits).
The recent attacks against SHA-1 do not apply to RIPEMD/160, but note
that RIPEMD/160 is attacked far less than SHA-1 is.
David
From rjh at sixdemonbag.org Sat May 2 22:43:00 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 02 May 2009 16:43:00 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com>
References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com>
Message-ID: <49FCB054.6050606@sixdemonbag.org>
Allen Schultz wrote:
> I'm stuck with that smaller key until I change the subkeys, but
> a question about the two hashes. What's the difference in SHA-1
> and RIPEMD/160?
Not much. They're both 160-bit Merkle-Damgard hashes. RIPEMD160 comes
out of Europe, SHA-1 comes out of the National Security Agency.
Some people distrust anything that comes out of the NSA. For these
people, RIPEMD160 is a good option.
I think the reason why RIPEMD160 has survived so long is due to the fact
hardly anybody is looking at it. Given all we've learned about
attacking hash functions from the SHA-1 and MD5 papers, I think it's
fair to be a little skeptical of RIPEMD160's long-term prospects.
From subs at christiantena.net Sun May 3 11:22:49 2009
From: subs at christiantena.net (Philip)
Date: Sun, 03 May 2009 10:22:49 +0100
Subject: questions: no input file, and pascal programming
In-Reply-To: <49FC9EE1.6020108@gmail.com>
References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> <49FC3C6F.6040205@christiantena.net>
<49FC9EE1.6020108@gmail.com>
Message-ID: <49FD6269.2030701@christiantena.net>
So far I have figured out that on windows if I enter the command
gpg -eat -r [recipient key]
I get a prompt on the console
If I then type a message, followed by control-Z
then gpg will encrypt the message and dump the pgp text to the screen,
or to a file if I used the -o [filename] option.
However on linux control-Z just terminates the program (no pgp text)
Does anyone know the official, correct console way to get pgp to
terminate and output the encrypted text from console?
I'm amazed that it just doesn't seem to be documented anywhere.
thanks, Philip
From brad at fineby.me.uk Sun May 3 11:44:12 2009
From: brad at fineby.me.uk (Brad Rogers)
Date: Sun, 3 May 2009 10:44:12 +0100
Subject: questions: no input file, and pascal programming
In-Reply-To: <49FD6269.2030701@christiantena.net>
References: <49FB6F42.5000804@christiantena.net>
<49FBA778.5010304@Mozilla-Enigmail.org>
<49FBF7AC.8090705@christiantena.net>
<49FC3C6F.6040205@christiantena.net> <49FC9EE1.6020108@gmail.com>
<49FD6269.2030701@christiantena.net>
Message-ID: <20090503104412.26c4c3e8@abydos.stargate.org.uk>
On Sun, 03 May 2009 10:22:49 +0100
Philip wrote:
Hello Philip,
> Does anyone know the official, correct console way to get pgp to
> terminate and output the encrypted text from console?
> I'm amazed that it just doesn't seem to be documented anywhere.
Through trial and error, I found D works.
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Life goes quick and it goes without warning
Bombsite Boy - The Adverts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
From src=gnupg at lion.leolix.org Sun May 3 11:49:40 2009
From: src=gnupg at lion.leolix.org (Philipp Schafft)
Date: Sun, 03 May 2009 11:49:40 +0200
Subject: questions: no input file, and pascal programming
In-Reply-To: <49FD6269.2030701@christiantena.net>
References: <49FB6F42.5000804@christiantena.net>
<49FBA778.5010304@Mozilla-Enigmail.org>
<49FBF7AC.8090705@christiantena.net>
<49FC3C6F.6040205@christiantena.net> <49FC9EE1.6020108@gmail.com>
<49FD6269.2030701@christiantena.net>
Message-ID: <20090503094943.B2C057ADCC@priderock.keep-cool.org>
reflum,
On Sun, 2009-05-03 at 10:22 +0100, Philip wrote:
> So far I have figured out that on windows if I enter the command
> gpg -eat -r [recipient key]
>
> I get a prompt on the console
> If I then type a message, followed by control-Z
> then gpg will encrypt the message and dump the pgp text to the screen,
> or to a file if I used the -o [filename] option.
>
> However on linux control-Z just terminates the program (no pgp text)
>
> Does anyone know the official, correct console way to get pgp to
> terminate and output the encrypted text from console?
>
> I'm amazed that it just doesn't seem to be documented anywhere.
Take a look at the ASCII table (man ascii :). There is ^D (EOT - end of
transmission) for this. This is used by all systems I'm aware of but
window$. Don't know why they use something diffrent, maybe just to be
diffrent and break the standard.
--
Philipp.
(Rah of PH2)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL:
From martin.agren at gmail.com Sun May 3 13:05:36 2009
From: martin.agren at gmail.com (=?UTF-8?Q?Martin_=C3=85gren?=)
Date: Sun, 3 May 2009 13:05:36 +0200
Subject: New results against SHA-1
In-Reply-To: <20090501035849.7658.qmail@smasher.org>
References:
<20090501035849.7658.qmail@smasher.org>
Message-ID: <147e40f30905030405jcf3d8c6j6b99b80e5f1f2464@mail.gmail.com>
2009/5/1 Atom Smasher :
> On Thu, 30 Apr 2009, David Shaw wrote:
>
>> http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
>>
>> There is not much hard information yet, but the two big quotes are "SHA-1
>> collisions now 2^52" and "Practical collisions are within resources of a
>> well funded organisation."
>
> [...] what's next? will it have to be a bigger hash?
No, not bigger, but better. :) SHA-2 should be better, but since it's
conceptually quite similar to SHA-1, one could be somewhat worried...
SHA-3, on the other hand, will be very well-studied when it becomes a
standard, so we should in a way be able to trust it as much as we
trust AES. Google "SHA-3 competition" for more information.
Take care!
Martin
From simon at ruderich.org Sun May 3 14:17:03 2009
From: simon at ruderich.org (Simon Ruderich)
Date: Sun, 3 May 2009 14:17:03 +0200
Subject: Use other hash than SHA-1
In-Reply-To: <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
Message-ID: <20090503121703.GA10433@ruderich.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, May 02, 2009 at 09:45:11AM -0400, David Shaw wrote:
> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
>
> The short answer is that you can only use a 160-bit hash with your
> default DSA key. That means SHA-1 or RIPEMD/160. There is a feature you
> can enable (--enable-dsa2) that will allow you to use a bigger hash -- but
> you can still only use 160 bits worth of it. So if you use SHA-256,
> you're actually only taking 160 bits worth of it and discarding the rest.
>
> To truly use all of a larger hash, you need to either use a RSA key or a
> large (not default) DSA key (i.e. generated with --enable-dsa2 switched
> on, and a larger size than 1024 bits selected).
>
> David
Hi,
Thanks for your reply. As it looks like SHA-1 is not so secure
anymore I want to switch to something stronger, e.g. SHA-256.
What is best way (for a normal user like me) to do this? The
solution should be as compatible as possible (I think I read
- --enable-dsa2 doesn't work with some clients).
I often read I should stick with the defaults but as SHA-1 has
it's problems I would prefer a "better" hash; and this doesn't
seem to work with the defaults.
Thanks,
Simon
- --
+ privacy is necessary
+ using http://gnupg.org
+ public key id: 0x6115F804EFB33229
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkn9iz8ACgkQYRX4BO+zMilb8QCggjba5LS7wYh+JtKUokp0H2Kv
TWUAnjr/xfauGS3bq5rdv5LsLxr0mW+M
=rbFp
-----END PGP SIGNATURE-----
From subs at christiantena.net Sun May 3 17:22:54 2009
From: subs at christiantena.net (Philip)
Date: Sun, 03 May 2009 16:22:54 +0100
Subject: questions: no input file, and pascal programming
In-Reply-To: <20090503094943.B2C057ADCC@priderock.keep-cool.org>
References: <49FB6F42.5000804@christiantena.net>
<49FBA778.5010304@Mozilla-Enigmail.org>
<49FBF7AC.8090705@christiantena.net>
<49FC3C6F.6040205@christiantena.net> <49FC9EE1.6020108@gmail.com>
<49FD6269.2030701@christiantena.net>
<20090503094943.B2C057ADCC@priderock.keep-cool.org>
Message-ID: <49FDB6CE.7040301@christiantena.net>
I spent a little time coding in windows today (using lazarus).
I have come to the conclusion that you can pipe stuff to gpg from inside
dos window, but that if you try to pipe stuff directly from the pascal
program it fails.
I actually got my program to work by piping to cmd.exe with "echo Mary
had a little lamb|gpg" inside the stream, which sort of proves that I
know how to program a pipe.
Example code is at
http://www.christiantena.net/freepascalgpgexample.zip
you can look at this code by installing lazarus, unziping the above file
into a folder, and then from lazarus do project/open project and point
it at the lpi file in the folder
hit F9 to compile it
This feels a bit like a bug in gpg to me...
regards, Philip
Philipp Schafft wrote:
> reflum,
>
> On Sun, 2009-05-03 at 10:22 +0100, Philip wrote:
>> So far I have figured out that on windows if I enter the command
>> gpg -eat -r [recipient key]
>>
>> I get a prompt on the console
>> If I then type a message, followed by control-Z
>> then gpg will encrypt the message and dump the pgp text to the screen,
>> or to a file if I used the -o [filename] option.
>>
>> However on linux control-Z just terminates the program (no pgp text)
>>
>> Does anyone know the official, correct console way to get pgp to
>> terminate and output the encrypted text from console?
>>
>> I'm amazed that it just doesn't seem to be documented anywhere.
>
> Take a look at the ASCII table (man ascii :). There is ^D (EOT - end of
> transmission) for this. This is used by all systems I'm aware of but
> window$. Don't know why they use something diffrent, maybe just to be
> diffrent and break the standard.
>
>
From jh at jameshoward.us Sun May 3 22:13:02 2009
From: jh at jameshoward.us (James P. Howard, II)
Date: Sun, 03 May 2009 16:13:02 -0400
Subject: questions: no input file, and pascal programming
In-Reply-To: <49FDB6CE.7040301@christiantena.net>
References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> <49FC3C6F.6040205@christiantena.net>
<49FC9EE1.6020108@gmail.com> <49FD6269.2030701@christiantena.net> <20090503094943.B2C057ADCC@priderock.keep-cool.org>
<49FDB6CE.7040301@christiantena.net>
Message-ID: <49FDFACE.9030604@jameshoward.us>
Under DOS, redirecting from the standard output of A to the standard
input of B meant the contents were stored in a temporary file somewhere,
due to DOS's inability to multitask. It's worth checking to be sure
Windows still doesn't do that when running those at the command line.
James
On Sun May 3 11:22:54 2009, Philip wrote:
> I spent a little time coding in windows today (using lazarus).
> I have come to the conclusion that you can pipe stuff to gpg from inside
> dos window, but that if you try to pipe stuff directly from the pascal
> program it fails.
> I actually got my program to work by piping to cmd.exe with "echo Mary
> had a little lamb|gpg" inside the stream, which sort of proves that I
> know how to program a pipe.
> Example code is at
> http://www.christiantena.net/freepascalgpgexample.zip
>
> you can look at this code by installing lazarus, unziping the above file
> into a folder, and then from lazarus do project/open project and point
> it at the lpi file in the folder
>
> hit F9 to compile it
>
> This feels a bit like a bug in gpg to me...
>
> regards, Philip
>
> Philipp Schafft wrote:
>> reflum,
>>
>> On Sun, 2009-05-03 at 10:22 +0100, Philip wrote:
>>> So far I have figured out that on windows if I enter the command
>>> gpg -eat -r [recipient key]
>>>
>>> I get a prompt on the console
>>> If I then type a message, followed by control-Z
>>> then gpg will encrypt the message and dump the pgp text to the screen,
>>> or to a file if I used the -o [filename] option.
>>>
>>> However on linux control-Z just terminates the program (no pgp text)
>>>
>>> Does anyone know the official, correct console way to get pgp to
>>> terminate and output the encrypted text from console?
>>>
>>> I'm amazed that it just doesn't seem to be documented anywhere.
>>
>> Take a look at the ASCII table (man ascii :). There is ^D (EOT - end of
>> transmission) for this. This is used by all systems I'm aware of but
>> window$. Don't know why they use something diffrent, maybe just to be
>> diffrent and break the standard.
>>
>>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
--
James P. Howard, II, MPA
jh at jameshoward.us
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
From subs at christiantena.net Mon May 4 01:25:34 2009
From: subs at christiantena.net (Philip)
Date: Mon, 04 May 2009 00:25:34 +0100
Subject: questions: no input file, and pascal programming
In-Reply-To: <49FDFACE.9030604@jameshoward.us>
References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> <49FC3C6F.6040205@christiantena.net>
<49FC9EE1.6020108@gmail.com> <49FD6269.2030701@christiantena.net> <20090503094943.B2C057ADCC@priderock.keep-cool.org>
<49FDB6CE.7040301@christiantena.net>
<49FDFACE.9030604@jameshoward.us>
Message-ID: <49FE27EE.3020500@christiantena.net>
Hmm, that would spoil things.
reading this
http://www.velocityreviews.com/forums/t365339-p-write-eof-without-closing.html
the opinion there is that sending control-Z is just a signal from the
keyboard to the shell which the shell uses to cut the flow to the
application listening on stdin, it doesn't actually send control-z to
the app.
in other words I need to flush and close the input side of the pipe, but
not the output side or won't collect the program output.
I was hoping that tprocess.CloseInput might acheive that but it doesn't
seem to cause gpg to stop listening for input.
Anyone got any ideas?
thanks, Philip
James P. Howard, II wrote:
> Under DOS, redirecting from the standard output of A to the standard
> input of B meant the contents were stored in a temporary file somewhere,
> due to DOS's inability to multitask. It's worth checking to be sure
> Windows still doesn't do that when running those at the command line.
>
> James
>
> On Sun May 3 11:22:54 2009, Philip wrote:
>
>> I spent a little time coding in windows today (using lazarus).
>> I have come to the conclusion that you can pipe stuff to gpg from inside
>> dos window, but that if you try to pipe stuff directly from the pascal
>> program it fails.
>> I actually got my program to work by piping to cmd.exe with "echo Mary
>> had a little lamb|gpg" inside the stream, which sort of proves that I
>> know how to program a pipe.
>> Example code is at
>> http://www.christiantena.net/freepascalgpgexample.zip
>>
>> you can look at this code by installing lazarus, unziping the above file
>> into a folder, and then from lazarus do project/open project and point
>> it at the lpi file in the folder
>>
>> hit F9 to compile it
>>
>> This feels a bit like a bug in gpg to me...
>>
>> regards, Philip
>>
>> Philipp Schafft wrote:
>>> reflum,
>>>
>>> On Sun, 2009-05-03 at 10:22 +0100, Philip wrote:
>>>> So far I have figured out that on windows if I enter the command
>>>> gpg -eat -r [recipient key]
>>>>
>>>> I get a prompt on the console
>>>> If I then type a message, followed by control-Z
>>>> then gpg will encrypt the message and dump the pgp text to the screen,
>>>> or to a file if I used the -o [filename] option.
>>>>
>>>> However on linux control-Z just terminates the program (no pgp text)
>>>>
>>>> Does anyone know the official, correct console way to get pgp to
>>>> terminate and output the encrypted text from console?
>>>>
>>>> I'm amazed that it just doesn't seem to be documented anywhere.
>>> Take a look at the ASCII table (man ascii :). There is ^D (EOT - end of
>>> transmission) for this. This is used by all systems I'm aware of but
>>> window$. Don't know why they use something diffrent, maybe just to be
>>> diffrent and break the standard.
>>>
>>>
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
From dshaw at jabberwocky.com Mon May 4 04:56:24 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 3 May 2009 22:56:24 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <20090503121703.GA10433@ruderich.org>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<20090503121703.GA10433@ruderich.org>
Message-ID: <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
On May 3, 2009, at 8:17 AM, Simon Ruderich wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, May 02, 2009 at 09:45:11AM -0400, David Shaw wrote:
>> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote:
>>
>> The short answer is that you can only use a 160-bit hash with your
>> default DSA key. That means SHA-1 or RIPEMD/160. There is a
>> feature you
>> can enable (--enable-dsa2) that will allow you to use a bigger hash
>> -- but
>> you can still only use 160 bits worth of it. So if you use SHA-256,
>> you're actually only taking 160 bits worth of it and discarding the
>> rest.
>>
>> To truly use all of a larger hash, you need to either use a RSA key
>> or a
>> large (not default) DSA key (i.e. generated with --enable-dsa2
>> switched
>> on, and a larger size than 1024 bits selected).
>>
>> David
>
> Hi,
>
> Thanks for your reply. As it looks like SHA-1 is not so secure
> anymore I want to switch to something stronger, e.g. SHA-256.
> What is best way (for a normal user like me) to do this? The
> solution should be as compatible as possible (I think I read
> - --enable-dsa2 doesn't work with some clients).
> I often read I should stick with the defaults but as SHA-1 has
> it's problems I would prefer a "better" hash; and this doesn't
> seem to work with the defaults.
It's always good advice to stick to the defaults, but it's possible in
this case that it's time to change the defaults.
In the meantime, while the defaults are being pondered, if your
current primary key is a 1024-bit DSA key (it'll say "pub 1024D" when
you do a key listing), then you should consider migrating to something
else. That "something else" can either be a DSA key that is larger
than 1024 bits (often called "DSA2") or an RSA key that is larger than
1024 bits. Different people have different opinions on which is a
better choice and there is no one right answer. For what it's worth,
I personally favor RSA as RSA+SHA-256 has been around longer than
DSA2+SHA-256 and is therefore somewhat more widely supported over the
various OpenPGP clients out there, but DSA2 has some good things about
it, particularly that the signatures are physically smaller, and thus
aren't as intrusive over email.
It's important to remember that this isn't a completely SHA-1 free
key, as that is not currently possible in the OpenPGP protocol, but it
is possible to make a "use as little SHA-1 as possible key".
The way to make the new key is a little bit fussy, I'm afraid, as the
defaults in GPG are sort of built for SHA-1.
If you want a DSA2 key:
gpg --enable-dsa2 --gen-key
Select option 1, and enter 3072 for the DSA key size. Hit enter.
Then enter a key size for the encryption subkey. The default (2048)
is fine.
If you want an RSA key:
gpg --cert-digest-algo sha256 --gen-key
Select option 5. Enter a RSA key size. The default (2048) is fine.
Finish generating the key as usual, then type:
gpg --cert-digest-algo sha256 --edit-key (yourkey)
addkey
6
Enter a keysize for the subkey. Again, the default (2048) is fine.
For either case, finish up by sticking "personal-digest-preferences
sha256" in your gpg.conf file.
The end result will be a key that does not use SHA-1 either in its
internal construction or in signatures it makes elsewhere. Keep in
mind that there are some clients out there that simply cannot cope
with this key and will reject it with one failure message or another.
The most recent versions of either PGP or GPG can handle it just fine.
David
From wk at gnupg.org Mon May 4 10:19:18 2009
From: wk at gnupg.org (Werner Koch)
Date: Mon, 04 May 2009 10:19:18 +0200
Subject: gpgsm data structure
In-Reply-To: <5040856.1241092979229.JavaMail.ngmail@webmail18.arcor-online.net>
(rookie01@arcor.de's message of "Thu, 30 Apr 2009 14:02:59 +0200
(CEST)")
References: <17764364.1241089849578.JavaMail.ngmail@webmail18.arcor-online.net>
<5040856.1241092979229.JavaMail.ngmail@webmail18.arcor-online.net>
Message-ID: <8763ghth4p.fsf@wheatstone.g10code.de>
On Thu, 30 Apr 2009 14:02, rookie01 at arcor.de said:
> A recipient cannot decrypt my gpgsm signed and encrypted data. He sent me some data he can decrypt. It looks like this:
If you post ASN.1 dumps and expect me to read them, pretty please use
dumpasn1 and not the openssl tools.
> So here.s my question: Why is the gpgsm data in 4kB blocks and is there a .easy. way to change this blocksize.
4KB is a reasonable size, no specific reason for it. An ASN.1 parser is
expected to parse it. It is quite possible that there is a but our
parser but that would be the first report for a couple of years.
What version of gpgsm are you using?
$ gpgsm --version
gpgsm (GnuPG) 2.0.12-svn4945
libgcrypt 1.4.2-svn1299
libksba 1.0.4-svn284
What software created the data?
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
From wk at gnupg.org Mon May 4 10:24:20 2009
From: wk at gnupg.org (Werner Koch)
Date: Mon, 04 May 2009 10:24:20 +0200
Subject: New results against SHA-1
In-Reply-To: <20090501035849.7658.qmail@smasher.org> (Atom Smasher's message
of "Fri, 1 May 2009 15:58:47 +1200 (NZST)")
References:
<20090501035849.7658.qmail@smasher.org>
Message-ID: <87vdohs2bv.fsf@wheatstone.g10code.de>
On Fri, 1 May 2009 05:58, atom at smasher.org said:
> so... when is the open-pgp spec moving beyond SHA1 hashes to identify
> public keys? what's next? will it have to be a bigger hash?
OpenPGP does not claim that the fingerprint is a unique way to identify
a key.
Also note that the results are about collision attacks and not about
second preimage attacks. Thus the whole thing basically boils down to
the concept of non-repudiation; something which is very hard to achieve
anyway.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
From wk at gnupg.org Mon May 4 10:26:08 2009
From: wk at gnupg.org (Werner Koch)
Date: Mon, 04 May 2009 10:26:08 +0200
Subject: gnupg 1.2.6
In-Reply-To: <200905021706.22037.webmaster@felipe1982.com> (Felipe Alvarez's
message of "Sat, 2 May 2009 17:06:13 +1000")
References: <200905021706.22037.webmaster@felipe1982.com>
Message-ID: <87r5z5s28v.fsf@wheatstone.g10code.de>
On Sat, 2 May 2009 09:06, webmaster at felipe1982.com said:
> My web host has gnupg 1.2.6 on their machines. I often SSH into it when
> I am not at home on my gnulinux box. Anything I should be concerned
> about when using this version? the two key pairs I made (DSS signing,
> ELG encryption) were made on gnupg 2.0.9, and transfered (and
> imported) to this host via SSH.
Instal a current version of GnuPG. If you are not able to do so, you
should never copy your private key to such a machine.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
From nicholas.cole at gmail.com Mon May 4 12:16:14 2009
From: nicholas.cole at gmail.com (Nicholas Cole)
Date: Mon, 4 May 2009 11:16:14 +0100
Subject: New results against SHA-1
In-Reply-To: <87vdohs2bv.fsf@wheatstone.g10code.de>
References:
<20090501035849.7658.qmail@smasher.org>
<87vdohs2bv.fsf@wheatstone.g10code.de>
Message-ID:
On Mon, May 4, 2009 at 9:24 AM, Werner Koch wrote:
> On Fri, ?1 May 2009 05:58, atom at smasher.org said:
>
>> so... when is the open-pgp spec moving beyond SHA1 hashes to identify
>> public keys? what's next? will it have to be a bigger hash?
>
> OpenPGP does not claim that the fingerprint is a unique way to identify
> a key.
How does GPG cope if two keys on the keyring have the same FP? AFAICS
that would make things very difficult for most of the front-ends,
especially if they had been relying on the uniqueness (in practice) of
the FP to specify which key to operate on.
N.
From wk at gnupg.org Mon May 4 13:39:41 2009
From: wk at gnupg.org (Werner Koch)
Date: Mon, 04 May 2009 13:39:41 +0200
Subject: New results against SHA-1
In-Reply-To:
(Nicholas Cole's message of "Mon, 4 May 2009 11:16:14 +0100")
References:
<20090501035849.7658.qmail@smasher.org>
<87vdohs2bv.fsf@wheatstone.g10code.de>
Message-ID: <87my9tqepu.fsf@wheatstone.g10code.de>
On Mon, 4 May 2009 12:16, nicholas.cole at gmail.com said:
> How does GPG cope if two keys on the keyring have the same FP? AFAICS
> that would make things very difficult for most of the front-ends,
I don't know, because I am not able to create such keys ;-).
It is not different from looking up the keys using the long keyid. We
would need to iterate over all matching keys until we can verify/decrypt
a message.
The only real crypto use in the protocol is with the revocation key
(designated revoker) which uses a 20 byte fingerprint to specify the
key. However I cannot see where there is a threat.
There are some internal uses of SHA-1 and RIPE-MD-160 in GPG: Mainly to
identify keys in the trustdb. You will likely run into problems adding
another key with the same fingerprint. The forthcoming new keyring
format will cope with that by not allowing a second key with the same
fingerprint.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
From dshaw at jabberwocky.com Mon May 4 14:51:56 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 4 May 2009 08:51:56 -0400
Subject: New results against SHA-1
In-Reply-To:
References:
<20090501035849.7658.qmail@smasher.org>
<87vdohs2bv.fsf@wheatstone.g10code.de>
Message-ID: <4B1DA997-0E16-4A39-A859-7D7FEB2CA8C5@jabberwocky.com>
On May 4, 2009, at 6:16 AM, Nicholas Cole wrote:
> On Mon, May 4, 2009 at 9:24 AM, Werner Koch wrote:
>> On Fri, 1 May 2009 05:58, atom at smasher.org said:
>>
>>> so... when is the open-pgp spec moving beyond SHA1 hashes to
>>> identify
>>> public keys? what's next? will it have to be a bigger hash?
>>
>> OpenPGP does not claim that the fingerprint is a unique way to
>> identify
>> a key.
>
> How does GPG cope if two keys on the keyring have the same FP? AFAICS
> that would make things very difficult for most of the front-ends,
> especially if they had been relying on the uniqueness (in practice) of
> the FP to specify which key to operate on.
In theory, OpenPGP implementations should cope just fine with multiple
keys having the same fingerprint. What to do depends on the context,
but you could for example try all of the same-FP keys to verify a
signature, etc.
In practice, however, I suspect that most, if not all, OpenPGP
programs would exhibit strange behavior of one sort or another. This
sort of thing is hard to test for since it essentially implies
creating a SHA-1 collision (which even with the recent discoveries is
not a trivial thing). It's possible to fake a collision in the code,
but again, they're so absurdly rare there are other bugs that would
hit first.
In the computer urban legend department, I actually heard a story once
about someone who claimed to have (completely accidentally) generated
a key with a colliding fingerprint. Unfortunately he deleted it
because he thought it was a bad key when his client didn't behave well
with it.... You may draw from that what you will!
David
From mail at 404not-found.de Mon May 4 17:21:48 2009
From: mail at 404not-found.de (Raimar Sandner)
Date: Mon, 4 May 2009 17:21:48 +0200
Subject: Use other hash than SHA-1
In-Reply-To: <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
References: <20090502102545.GA17546@ruderich.org>
<20090503121703.GA10433@ruderich.org>
<742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
Message-ID: <200905041721.57079.mail@404not-found.de>
On Monday 04 May 2009 04:56:24 David Shaw wrote:
> If you want a DSA2 key:
>
> gpg --enable-dsa2 --gen-key
>
> Select option 1, and enter 3072 for the DSA key size.
> If you want an RSA key:
>
> gpg --cert-digest-algo sha256 --gen-key
>
> Select option 5. Enter a RSA key size. The default (2048) is fine.
Why do you recommend the DSA2 signing key to be larger than the RSA signing
key?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From simon at ruderich.org Mon May 4 18:03:23 2009
From: simon at ruderich.org (Simon Ruderich)
Date: Mon, 4 May 2009 18:03:23 +0200
Subject: Use other hash than SHA-1
In-Reply-To: <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<20090503121703.GA10433@ruderich.org>
<742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
Message-ID: <20090504160323.GA29612@ruderich.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, May 03, 2009 at 10:56:24PM -0400, David Shaw wrote:
> [snip]
>
> The end result will be a key that does not use SHA-1 either in its
> internal construction or in signatures it makes elsewhere. Keep in mind
> that there are some clients out there that simply cannot cope with this
> key and will reject it with one failure message or another. The most
> recent versions of either PGP or GPG can handle it just fine.
>
> David
Hi,
Thanks for your help. I created a RSA key and it works fine.
Simon
- --
+ privacy is necessary
+ using http://gnupg.org
+ public key id: 0x6115F804EFB33229
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCAAGBQJJ/xHLAAoJEJL+/bfkTDL5b0wQAKFm9wGiWU/lqQd+C+F+L/Go
kP5guhjk7Bi8tbzZlBMIcHVcaOphHk8OuywmBJLNfmY/bxvCUOVIsJtN4N1Gw52c
OY7PMWKAo6nvZXzbRIlFJ9/lztiOMqmvc+ZNSA33hpFgRW4fXthFSJe23sDXxW1Z
sg+yg+eW6RCJ/zYko6aIBO671FQEVKv5GC+YbXrpetxkK06x5D5LI50k5L9idrz8
QoA33SRoE2iKt0MSOaSbJX34iEYKpm7jqNi++tMY25RtFjm5e2j1yqsL6uN7yRE3
ID+sVPNqnqK47z58MHWYIgucrPhQshUBw47wOVGQYCBg2iLTMtlZCFVGOLfOSCIZ
QnlThQ0T+zYYejWJkeKDfy+/7ReiMa1CHUwC7xCpC9b96WLfbsf8hlsImti0dWKj
mwz+BG5Ckep3YAhEiqXQ7Ql8UsFm0YZtLtl1Lh4aciVr2etiIyofgMCUeK+ag0t/
38efWuwpkjAPpEKCxgmg8byQlz/88eZj4AI6xkwwHfoMuAyMd0dt/VvuMQ765vs9
s5tytIcVOTDCeE7Pb5l0QKOROZJfK3vSxAKptPjiKmBuRdhd7c1tps6WsdVkqXaf
GZu7l9HbvKSrEX+j1qY6vpQNdy3xJTUhV6eXu7N6sePuot4Ms0PU6OGtK00Dr+DT
wv/SZo3XTgvRvg1kDQBx
=lNr4
-----END PGP SIGNATURE-----
From christoph.anton.mitterer at physik.uni-muenchen.de Mon May 4 19:33:16 2009
From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer)
Date: Mon, 04 May 2009 19:33:16 +0200
Subject: New results against SHA-1
In-Reply-To: <87my9tqepu.fsf@wheatstone.g10code.de>
References:
<20090501035849.7658.qmail@smasher.org>
<87vdohs2bv.fsf@wheatstone.g10code.de>
<87my9tqepu.fsf@wheatstone.g10code.de>
Message-ID: <1241458396.4024.3.camel@fermat.scientia.net>
On Mon, 2009-05-04 at 13:39 +0200, Werner Koch wrote:
> The forthcoming new keyring
> format will cope with that by not allowing a second key with the same
> fingerprint.
Ah,.. I've always thought this would be already the case ^^
When will we see this new format?
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3387 bytes
Desc: not available
URL:
From christoph.anton.mitterer at physik.uni-muenchen.de Mon May 4 19:34:58 2009
From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer)
Date: Mon, 04 May 2009 19:34:58 +0200
Subject: New results against SHA-1
In-Reply-To: <87my9tqepu.fsf@wheatstone.g10code.de>
References:
<20090501035849.7658.qmail@smasher.org>
<87vdohs2bv.fsf@wheatstone.g10code.de>
<87my9tqepu.fsf@wheatstone.g10code.de>
Message-ID: <1241458498.4024.5.camel@fermat.scientia.net>
On Mon, 2009-05-04 at 13:39 +0200, Werner Koch wrote:
> The only real crypto use in the protocol is with the revocation key
> (designated revoker) which uses a 20 byte fingerprint to specify the
> key. However I cannot see where there is a threat.
Ok,.. but most people do not exchange they key-data and signs it,.. but
just the fingerprint....
So in practice this does not only affect the revocation signatures, does
it?
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3387 bytes
Desc: not available
URL:
From faramir.cl at gmail.com Mon May 4 19:31:45 2009
From: faramir.cl at gmail.com (Faramir)
Date: Mon, 04 May 2009 13:31:45 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <200905041721.57079.mail@404not-found.de>
References: <20090502102545.GA17546@ruderich.org> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
<200905041721.57079.mail@404not-found.de>
Message-ID: <49FF2681.7000803@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Raimar Sandner escribi?:
> On Monday 04 May 2009 04:56:24 David Shaw wrote:
>
>> If you want a DSA2 key:
>>
>> gpg --enable-dsa2 --gen-key
>>
>> Select option 1, and enter 3072 for the DSA key size.
>
>
>> If you want an RSA key:
>>
>> gpg --cert-digest-algo sha256 --gen-key
>>
>> Select option 5. Enter a RSA key size. The default (2048) is fine.
>
> Why do you recommend the DSA2 signing key to be larger than the RSA signing
> key?
Good question, indeed.
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJJ/yaBAAoJEMV4f6PvczxAoaUH/iTplZ9vWA1E7JGpPx8moX8v
SDeDHQ4RQmplbgxw29WUz0RnQtZBFHO4lE/O3GohMzN6qaekhGgMdrFzgC/AlhUp
nyqlSCDjDO/K4kXEUYRz2eUv0gA5ZGyEKdlWCBKqYaQfZoJHhYPkvhtYnzAtX3sP
FAPNPGBGysAh2vobq9QCHBmBVDhyTyegCppm6LDsuTnG0KyR2E9oTd1L/0ughHVe
i+d31WU3QOrFSNk4mNurxX4NSaGInZOXv+l09kL4RWxjl5EgF0o7AtwE9IVzpPcu
pMVHoLDe6m34Dt4IPQWa8e45Ph2e/VzASh5yBo/xDPVK8btewSMq7kpGimGT6tY=
=TfeB
-----END PGP SIGNATURE-----
From christoph.anton.mitterer at physik.uni-muenchen.de Mon May 4 19:40:05 2009
From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer)
Date: Mon, 04 May 2009 19:40:05 +0200
Subject: Use other hash than SHA-1
In-Reply-To: <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<20090503121703.GA10433@ruderich.org>
<742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
Message-ID: <1241458805.4024.8.camel@fermat.scientia.net>
On Sun, 2009-05-03 at 22:56 -0400, David Shaw wrote:
> It's important to remember that this isn't a completely SHA-1 free
> key, as that is not currently possible in the OpenPGP protocol, but it
> is possible to make a "use as little SHA-1 as possible key".
Is there anything else than the fingerprint for the revocation
signatures and MDC?
> The end result will be a key that does not use SHA-1 either in its
> internal construction or in signatures it makes elsewhere. Keep in
> mind that there are some clients out there that simply cannot cope
> with this key and will reject it with one failure message or another.
> The most recent versions of either PGP or GPG can handle it just fine.
What would you suggest for existing RSA/DSA2 keys that always used SHA1
for their self-sigs and cert-sigs on other keys?
Should those be recreated with the "better" hash algo?
Regards,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3387 bytes
Desc: not available
URL:
From jmoore3rd at bellsouth.net Mon May 4 23:01:08 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Mon, 04 May 2009 17:01:08 -0400
Subject: New results against SHA-1
In-Reply-To:
References: <20090501035849.7658.qmail@smasher.org> <87vdohs2bv.fsf@wheatstone.g10code.de>
Message-ID: <49FF5794.2030808@bellsouth.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Nicholas Cole wrote:
> How does GPG cope if two keys on the keyring have the same FP? AFAICS
> that would make things very difficult for most of the front-ends,
> especially if they had been relying on the uniqueness (in practice) of
> the FP to specify which key to operate on.
Please show Me an example of this happening in the Real World.
JOHN 8-)
Timestamp: Monday 04 May 2009, 17:00 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4987: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx
iQEcBAEBCgAGBQJJ/1eSAAoJEBCGy9eAtCsPd68H/Ry2RX3rN0VqnB/hpjv0TlK/
grc0FkSF4CKeC4JBG/9mNOnTIrwR33mJlRa7mLuxH6kd/o/9YNfc+UTKVyxenPTh
fBj3CSsBGtzz3HknIOyKNz/N2tujZRxGnCMAm+40DQ9UqgUMzQNPvZeFOpzrjO3Q
rTI2KPejEfuqZc8tS/eSegzo/QNIvJtp5XngEmAASJ4VwNg+jdiijONHUGpP3v7X
UJfeFM+F1pVB8vjA9yTmHxrp6GISTvvscFqrqr9HwXF24MVKBxbfGcD6mAlSuBed
Jl7wsgyYeNCw5ifsW+WTDi8ikcM+T1ztaFx4NLM5qJyaGjVhFR8kBUiiyO0kAyg=
=ouDV
-----END PGP SIGNATURE-----
From moni_sparkle at yahoo.com Fri May 1 20:01:51 2009
From: moni_sparkle at yahoo.com (MShah)
Date: Fri, 1 May 2009 11:01:51 -0700 (PDT)
Subject: How to use salt in the gpg decrypt expression?
Message-ID: <23337352.post@talk.nabble.com>
I have gpg encrypted data that I imported into the DB at my company, they
have provided the passphrase and salt. I am wondering how to provide the
salt in the decrypting expression. Any feedback on this will be
appreciated. Here is how I am using it without the salt:
gpg.exe --passphrase Id6Ai6Cp4S -d c:\tmp\rrrK.gpg
How do I include salt in the above expression? I looked at gpg help, but
that has no option of including the salt.
Thanks,
Moni
--
View this message in context: http://www.nabble.com/How-to-use-salt-in-the-gpg-decrypt-expression--tp23337352p23337352.html
Sent from the GnuPG - User mailing list archive at Nabble.com.
From moni_sparkle at yahoo.com Fri May 1 22:17:05 2009
From: moni_sparkle at yahoo.com (MShah)
Date: Fri, 1 May 2009 13:17:05 -0700 (PDT)
Subject: How to use salt in the gpg decrypt expression?
Message-ID: <23337352.post@talk.nabble.com>
I have gpg encrypted data that I imported into the DB at my company, they
have provided the passphrase and salt. I am wondering how to provide the
salt in the decrypting expression. Any feedback on this will be
appreciated. Here is how I am using it without the salt:
gpg.exe --passphrase Id6Ai6Cp4S -d c:\tmp\rrrK.gpg
How do I include salt in the above expression? I looked at gpg help, but
that has no option of including the salt.
Thanks,
Moni
--
View this message in context: http://www.nabble.com/How-to-use-salt-in-the-gpg-decrypt-expression--tp23337352p23337352.html
Sent from the GnuPG - User mailing list archive at Nabble.com.
From nicholas.cole at gmail.com Tue May 5 00:33:35 2009
From: nicholas.cole at gmail.com (Nicholas Cole)
Date: Mon, 4 May 2009 23:33:35 +0100
Subject: New results against SHA-1
In-Reply-To: <49FF5794.2030808@bellsouth.net>
References:
<20090501035849.7658.qmail@smasher.org>
<87vdohs2bv.fsf@wheatstone.g10code.de>
<49FF5794.2030808@bellsouth.net>
Message-ID:
On Mon, May 4, 2009 at 10:01 PM, John W. Moore III
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Nicholas Cole wrote:
>
>> How does GPG cope if two keys on the keyring have the same FP? ?AFAICS
>> that would make things very difficult for most of the front-ends,
>> especially if they had been relying on the uniqueness (in practice) of
>> the FP to specify which key to operate on.
>
> Please show Me an example of this happening in the Real World.
>
> JOHN 8-)
Well, I'm just not that lucky! Or is that unlucky? It is possible,
though, that someone, somewhere will be. If the story reported
earlier in this thread is right, someone already has been.
Wouldn't a way around some of the (unlikely) problems be for gpg to
give each key on the keyring a guaranteed unique number (guaranteed,
for example, to be unique on that keyring), and allow users and
front-ends to specify a key by that number? This might even be as
simple as a number generated by pre-pending the number of the key in
the standard --list-keys output to the fingerprint.
Best,
N.
From dshaw at jabberwocky.com Tue May 5 04:44:12 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 4 May 2009 22:44:12 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <200905041721.57079.mail@404not-found.de>
References: <20090502102545.GA17546@ruderich.org>
<20090503121703.GA10433@ruderich.org>
<742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
<200905041721.57079.mail@404not-found.de>
Message-ID:
On May 4, 2009, at 11:21 AM, Raimar Sandner wrote:
> On Monday 04 May 2009 04:56:24 David Shaw wrote:
>
>> If you want a DSA2 key:
>>
>> gpg --enable-dsa2 --gen-key
>>
>> Select option 1, and enter 3072 for the DSA key size.
>
>
>> If you want an RSA key:
>>
>> gpg --cert-digest-algo sha256 --gen-key
>>
>> Select option 5. Enter a RSA key size. The default (2048) is fine.
>
> Why do you recommend the DSA2 signing key to be larger than the RSA
> signing
> key?
Heh. It's because of fussy internal parameter settings. DSA2 keys
can use different hashes, and the hashes they use are tied to the key
size. There is some looseness in the parameters, but in GPG it
basically it boils down to this:
If the key is over 2048 bits, use a 256-bit hash.
If the key is over 1024 bits, use a 224-bit hash.
Otherwise, use a 160-bit hash.
I couldn't specify the DSA key to be 2048 bits long to match the RSA
key because that would have given it a 224-bit hash instead of the
promised 256-bit hash.
David
From dshaw at jabberwocky.com Tue May 5 05:46:33 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 4 May 2009 23:46:33 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <1241458805.4024.8.camel@fermat.scientia.net>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<20090503121703.GA10433@ruderich.org>
<742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
<1241458805.4024.8.camel@fermat.scientia.net>
Message-ID: <1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com>
On May 4, 2009, at 1:40 PM, Christoph Anton Mitterer wrote:
> On Sun, 2009-05-03 at 22:56 -0400, David Shaw wrote:
>> It's important to remember that this isn't a completely SHA-1 free
>> key, as that is not currently possible in the OpenPGP protocol, but
>> it
>> is possible to make a "use as little SHA-1 as possible key".
> Is there anything else than the fingerprint for the revocation
> signatures and MDC?
I believe that's it. Fingerprints, revocation signatures (which use
fingerprints internally), and the MDC.
>> The end result will be a key that does not use SHA-1 either in its
>> internal construction or in signatures it makes elsewhere. Keep in
>> mind that there are some clients out there that simply cannot cope
>> with this key and will reject it with one failure message or another.
>> The most recent versions of either PGP or GPG can handle it just
>> fine.
> What would you suggest for existing RSA/DSA2 keys that always used
> SHA1
> for their self-sigs and cert-sigs on other keys?
> Should those be recreated with the "better" hash algo?
While I would start (did start, actually, a few years ago) using
SHA-256 to certify other people's keys, I wouldn't bother re-issuing
older SHA-1 certifications.
Re-issuing your self-sigs is more or less harmless. The keyservers
never delete anything, so they'll end up with both the old and new.
Assuming all works properly, the newer clients should end up using the
newer selfsig, and the older clients should keep using the old one (as
they won't be able to verify the new one). If you're distributing
your key outside of the keyservers, then you can go further and strip
off the old SHA-1 selfsig. If you do this, you can end up breaking
compatibility with some non-zero percentage of the community. The
exact amount of breakage depends on your particular circle of
correspondents and how often they upgrade, etc.
David
From wk at gnupg.org Tue May 5 09:24:08 2009
From: wk at gnupg.org (Werner Koch)
Date: Tue, 05 May 2009 09:24:08 +0200
Subject: New results against SHA-1
In-Reply-To:
(Nicholas Cole's message of "Mon, 4 May 2009 23:33:35 +0100")
References:
<20090501035849.7658.qmail@smasher.org>
<87vdohs2bv.fsf@wheatstone.g10code.de>
<49FF5794.2030808@bellsouth.net>
Message-ID: <877i0w9fmv.fsf@wheatstone.g10code.de>
On Tue, 5 May 2009 00:33, nicholas.cole at gmail.com said:
> front-ends to specify a key by that number? This might even be as
> simple as a number generated by pre-pending the number of the key in
> the standard --list-keys output to the fingerprint.
We had something like this many years ago but dropped it later. I can't
remember the details. The problem was that updating the keyring could
lead to conflicts and basically we had to use yet another hash of
something. Thus there is no advantage over the fingerprint.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
From faramir.cl at gmail.com Tue May 5 18:49:51 2009
From: faramir.cl at gmail.com (Faramir)
Date: Tue, 05 May 2009 12:49:51 -0400
Subject: About default key used for trustdb
Message-ID: <4A006E2F.6000407@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello:
Recently, I noticed a key signed by me was not shown as trusted
(using gpgshell GUI). I did a test, and tried to sign the key again, and
found gpg wanted to use a "group key" (a key used by a group of persons
to encrypt/decrypt messages, to protect them while they are in transit),
instead of my personal keys. So, is there a way to tell gpg to "view
keys from one of my keys point of view"? I had noticed this before, but
since it always selected one of my personal keys, and all of them trust
each other, that was never a problem, until now.
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJKAG4vAAoJEMV4f6PvczxAhrEIAJKToCCljQEMGjrTb2tGViRo
jw6pPUwakzL9cHG9GvTgWbnfKcNmJT9WjFhz1Po/XYK3+nY6USPskA76h0XSQ870
BhnVuu9jE1id5D2vHv1Wfstm/btlqtpm1f43o8baxM1aMI5e4CGB64QhfJUQk77T
pKrlj9HNmcQ8rLkzfFh2ynHv+FRlNoZa57gm/LLgF5WV6vwQ7TsevOZ/bZ59GBBY
Gy3BgCwK+r3pJ56hgnCGwOBxKSVrUWjTtqoObh5aq6NX9vM5fFP0ei7gpVll95ML
IMTP9Fzy3gaPnSCGhlfN0nmk58jEpBNLYFom78qVmRstzvQ9mt3tm4UyuODwp7I=
=SpQH
-----END PGP SIGNATURE-----
From subs at christiantena.net Tue May 5 21:50:24 2009
From: subs at christiantena.net (Philip)
Date: Tue, 05 May 2009 20:50:24 +0100
Subject: problems with http://www.gnupg.org
Message-ID: <4A009880.8090807@christiantena.net>
all the links from http://www.gnupg.org/docs.html are dead
for example
http://www.gnupg.org/howtos.en.html
404 Not Found
The requested URL /howtos.en.html was not found on this server.
I tried to email the webmaster but the email is bouncing
I can't access http://www.gnupg.org/mailing-lists.en.html to see if
there's a better list to send to than this one either!
I'm hoping someone here can do something about it
regards, Philip
From brad at fineby.me.uk Tue May 5 22:08:10 2009
From: brad at fineby.me.uk (Brad Rogers)
Date: Tue, 5 May 2009 21:08:10 +0100
Subject: problems with http://www.gnupg.org
In-Reply-To: <4A009880.8090807@christiantena.net>
References: <4A009880.8090807@christiantena.net>
Message-ID: <20090505210810.5a240856@abydos.stargate.org.uk>
On Tue, 05 May 2009 20:50:24 +0100
Philip wrote:
Hello Philip,
> all the links from http://www.gnupg.org/docs.html are dead
Works for me....
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Watching the people get lairy
I Predict A Riot - Kaiser Chiefs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
From dave.smith at st.com Tue May 5 22:17:17 2009
From: dave.smith at st.com (David SMITH)
Date: Tue, 5 May 2009 21:17:17 +0100
Subject: problems with http://www.gnupg.org
In-Reply-To: <4A009880.8090807@christiantena.net>
References: <4A009880.8090807@christiantena.net>
Message-ID: <20090505201717.GA16232@bristol.st.com>
On Tue, May 05, 2009 at 08:50:24PM +0100, Philip wrote:
> all the links from http://www.gnupg.org/docs.html are dead
> for example
> http://www.gnupg.org/howtos.en.html
> 404 Not Found
> The requested URL /howtos.en.html was not found on this server.
>
> I tried to email the webmaster but the email is bouncing
>
> I can't access http://www.gnupg.org/mailing-lists.en.html to see if
> there's a better list to send to than this one either!
>
> I'm hoping someone here can do something about it
Works OK for me, so either someone's already fixed it, or it was a
transient problem.
--
David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963
STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724
1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2
Almondsbury | Work Email: Dave.Smith at st.com
BRISTOL, BS32 4SQ | Home Email: David.Smith at ds-electronics.co.uk
From christoph.anton.mitterer at physik.uni-muenchen.de Tue May 5 23:21:14 2009
From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer)
Date: Tue, 05 May 2009 23:21:14 +0200
Subject: Use other hash than SHA-1
In-Reply-To: <1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<20090503121703.GA10433@ruderich.org>
<742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
<1241458805.4024.8.camel@fermat.scientia.net>
<1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com>
Message-ID: <1241558474.8226.8.camel@fermat.scientia.net>
On Mon, 2009-05-04 at 23:46 -0400, David Shaw wrote:
> I believe that's it. Fingerprints, revocation signatures (which use
> fingerprints internally), and the MDC.
> While I would start (did start, actually, a few years ago) using
> SHA-256 to certify other people's keys, I wouldn't bother re-issuing
> older SHA-1 certifications.
>
> Re-issuing your self-sigs is more or less harmless. The keyservers
> never delete anything, so they'll end up with both the old and new.
I'm not sure if this leads to the same discussion that we had some time
ago on the WG-list (about explicitly revoking previous self-sigs),...
but if a key has self-sigs with different hash-algos,... does this
"allow" downgrad-attacks or that like?
> Assuming all works properly, the newer clients should end up using the
> newer selfsig, and the older clients should keep using the old one (as
> they won't be able to verify the new one).
Even when they see, that the self-sig with the "better" algo, has a
newer creation date?
Would consider this critical :/
Best wishes,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3387 bytes
Desc: not available
URL:
From John at Mozilla-Enigmail.org Wed May 6 00:22:43 2009
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Tue, 05 May 2009 17:22:43 -0500
Subject: problems with http://www.gnupg.org
In-Reply-To: <4A009880.8090807@christiantena.net>
References: <4A009880.8090807@christiantena.net>
Message-ID: <4A00BC33.5090302@Mozilla-Enigmail.org>
Philip wrote:
> all the links from http://www.gnupg.org/docs.html are dead
> for example
> http://www.gnupg.org/howtos.en.html
> 404 Not Found
> The requested URL /howtos.en.html was not found on this server.
>
> I tried to email the webmaster but the email is bouncing
>
> I can't access http://www.gnupg.org/mailing-lists.en.html to see if
> there's a better list to send to than this one either!
>
> I'm hoping someone here can do something about it
They work with the full path. Your examples leave out '/documentaion' at
the beginning of the path.
Try
http://www.gnupg.org/documentation/howtos.en.html
or
http://www.gnupg.org/documentation/mailing-lists.en.html
--
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 678 bytes
Desc: OpenPGP digital signature
URL:
From stormer at stormer.org Wed May 6 02:19:58 2009
From: stormer at stormer.org (Stormer's Cgi-Archive)
Date: Tue, 5 May 2009 20:19:58 -0400
Subject: procmail recipe and gpg?
Message-ID:
Does anyone have a good procmail recipe for gpg?
I'd like it so that any email sent to an email account is encrypted
with that users public gpg key.
Don't need to worry about attachments.
An example application of this would be...
Simple perl scripts that send an email to a user on the same server.
This way, anything sent to that end user would be encrypted. The end
user could then pop the mail off the server and decrypt it with their
local private key.
Many thanks!
James
From dshaw at jabberwocky.com Wed May 6 04:16:17 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 5 May 2009 22:16:17 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <1241558474.8226.8.camel@fermat.scientia.net>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<20090503121703.GA10433@ruderich.org>
<742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
<1241458805.4024.8.camel@fermat.scientia.net>
<1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com>
<1241558474.8226.8.camel@fermat.scientia.net>
Message-ID: <5566128E-F02F-4AB4-B53C-97EC117AF688@jabberwocky.com>
On May 5, 2009, at 5:21 PM, Christoph Anton Mitterer wrote:
> On Mon, 2009-05-04 at 23:46 -0400, David Shaw wrote:
>>
>>
>> Re-issuing your self-sigs is more or less harmless. The keyservers
>> never delete anything, so they'll end up with both the old and new.
> I'm not sure if this leads to the same discussion that we had some
> time
> ago on the WG-list (about explicitly revoking previous self-sigs),...
> but if a key has self-sigs with different hash-algos,... does this
> "allow" downgrad-attacks or that like?
It depends on the attack. What is the attack you are concerned about?
>> Assuming all works properly, the newer clients should end up using
>> the
>> newer selfsig, and the older clients should keep using the old one
>> (as
>> they won't be able to verify the new one).
> Even when they see, that the self-sig with the "better" algo, has a
> newer creation date?
> Would consider this critical :/
They mustn't do this. They can't, really. It would enable a pretty
trivial DoS if I could make up a bogus self-sig with some hash number
that isn't even allocated yet, but a later date, and send it to a
keyserver to be attached to my victim key. GPG must treat any
signature that does not verify as irrelevant.
David
From hamilric at us.ibm.com Wed May 6 04:06:53 2009
From: hamilric at us.ibm.com (Richard Hamilton)
Date: Tue, 5 May 2009 20:06:53 -0600
Subject: AUTO: Richard Hamilton is out of the office (returning 05/06/2009)
Message-ID:
I am out of the office until 05/06/2009.
I am out of the office until May 6th 2009. If this is a production
problem, please call the solution center at 918-573-2336 or email Bob Olson
at Robert.Olson at williams.com. I will be checking my messages periodically.
Note: This is an automated response to your message "Re: problems with
http://www.gnupg.org" sent on 5/5/09 16:22:43.
This is the only notification you will receive while this person is away.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From subs at christiantena.net Wed May 6 11:42:12 2009
From: subs at christiantena.net (Philip)
Date: Wed, 06 May 2009 10:42:12 +0100
Subject: problems with http://www.gnupg.org
In-Reply-To: <4A00BC33.5090302@Mozilla-Enigmail.org>
References: <4A009880.8090807@christiantena.net>
<4A00BC33.5090302@Mozilla-Enigmail.org>
Message-ID: <4A015B74.6000603@christiantena.net>
thanks
I don't remember where or what linked to http://www.gnupg.org/docs.html
maybe it's related to this "bug"
https://bugs.g10code.com/gnupg/issue33
I think it might be better if the content at
http://www.gnupg.org/docs.html can be changed to a simple
"this page has moved to http://www.gnupg.org/documentation/"
or something
John Clizbe wrote:
> Philip wrote:
>> all the links from http://www.gnupg.org/docs.html are dead
>> for example
>> http://www.gnupg.org/howtos.en.html
>> 404 Not Found
>> The requested URL /howtos.en.html was not found on this server.
>>
>> I tried to email the webmaster but the email is bouncing
>>
>> I can't access http://www.gnupg.org/mailing-lists.en.html to see if
>> there's a better list to send to than this one either!
>>
>> I'm hoping someone here can do something about it
>
> They work with the full path. Your examples leave out '/documentaion' at
> the beginning of the path.
>
> Try
> http://www.gnupg.org/documentation/howtos.en.html
> or
> http://www.gnupg.org/documentation/mailing-lists.en.html
>
>
>
>
From webmaster at felipe1982.com Wed May 6 12:03:13 2009
From: webmaster at felipe1982.com (felipe alvarez)
Date: Wed, 6 May 2009 20:03:13 +1000
Subject: Fw: problems with http://www.gnupg.org
Message-ID: <0B7E8B6BC0C84C93BEB5D0BFECFB44FC@cheetah>
----- Original Message -----
From: "felipe alvarez"
To: "David SMITH"
Sent: Wednesday, May 06, 2009 8:02 PM
Subject: Re: problems with http://www.gnupg.org
>
> ----- Original Message -----
> From: "David SMITH"
> To:
> Sent: Wednesday, May 06, 2009 6:17 AM
> Subject: Re: problems with http://www.gnupg.org
>
>
>> On Tue, May 05, 2009 at 08:50:24PM +0100, Philip wrote:
>>> all the links from http://www.gnupg.org/docs.html are dead
>>> for example
>>> http://www.gnupg.org/howtos.en.html
>>> 404 Not Found
>>> The requested URL /howtos.en.html was not found on this server.
>>>
>>> I tried to email the webmaster but the email is bouncing
>>>
>>> I can't access http://www.gnupg.org/mailing-lists.en.html to see if
>>> there's a better list to send to than this one either!
>>>
>>> I'm hoping someone here can do something about it
>>
>> Works OK for me, so either someone's already fixed it, or it was a
>> transient problem.
They are definately broken. Click on the purple-ish links that are most
prominent, centre of page.
felipe
From brad at fineby.me.uk Wed May 6 12:51:27 2009
From: brad at fineby.me.uk (Brad Rogers)
Date: Wed, 6 May 2009 11:51:27 +0100
Subject: problems with http://www.gnupg.org
In-Reply-To: <0B7E8B6BC0C84C93BEB5D0BFECFB44FC@cheetah>
References: <0B7E8B6BC0C84C93BEB5D0BFECFB44FC@cheetah>
Message-ID: <20090506115127.311983a7@abydos.stargate.org.uk>
On Wed, 6 May 2009 20:03:13 +1000
"felipe alvarez" wrote:
Hello felipe,
> They are definately broken. Click on the purple-ish links that are
> most prominent, centre of page.
Whoops! You're right. I didn't even try those, thinking they weren't
links at all, just topic headings.
The links down the left hand side still work, of course.
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Kill joy, bad guy, big talking, small fry
Death On Two Legs - Queen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
From steveo at syslang.net Wed May 6 19:18:51 2009
From: steveo at syslang.net (Steven W. Orr)
Date: Wed, 6 May 2009 13:18:51 -0400 (EDT)
Subject: Question about gpg-agent
Message-ID:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm running Fedora 10 (if anyone cares) with gnupg2-2.0.10-1.fc10.i386.
I'm up and rolling, but I'd like to know more about configuring the agent.
I started the agent via the recommended incantation:
eval "$(gpg-agent --daemon)"
in my ~/.kde/AutoStart
and I set
use-agent
in my ~/.gnupg/gpg.conf
I'm not seeing a place that defines what the default values are for the
gpg-agent. I wanted to change the default TTL for a passphrase so I said
default-cache-ttl 6000
in my .gnupg/gpg-agent.conf
But I also have a gpa.conf and I don't know which is the right place to
put the change or how to tell what the current settings are.
Also, in my gpg.conf file I have
default-key 5E2A01198E98730A87DF205C448572E1F0BE3724
but in the gpa.conf, I have the following.
*519 > cat .gnupg/gpa.conf
default-key ADA6F1B17880A139848FCE939FD2865783254088
keyserver hkp://random.sks.keyserver.penguin.de
So basically, I'm confused and I don't see any docs to help. Can someone
help?
TIA
- --
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)
iEYEARECAAYFAkoBxnsACgkQRIVy4fC+NyThMACeNEws5YtKedbY9u0HFzHekAjc
necAn2JksniBJ0zLfateluOWNsy3Jt74
=5PZO
-----END PGP SIGNATURE-----
From kloecker at kde.org Wed May 6 21:18:42 2009
From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=)
Date: Wed, 06 May 2009 21:18:42 +0200
Subject: Question about gpg-agent
In-Reply-To:
References:
Message-ID: <200905062118.43198@thufir.ingo-kloecker.de>
On Wednesday 06 May 2009, Steven W. Orr wrote:
> I'm running Fedora 10 (if anyone cares) with
> gnupg2-2.0.10-1.fc10.i386.
>
> I'm up and rolling, but I'd like to know more about configuring the
> agent. I started the agent via the recommended incantation:
>
> eval "$(gpg-agent --daemon)"
>
> in my ~/.kde/AutoStart
AFAIK, this should be ~/.kde/env, so that the environment variable set
by gpg-agent is available to everything running in the X session.
FWIW, I have
killall gpg-agent 2>/dev/null
eval "$(gpg-agent --daemon --default-cache-ttl 36000)"
in ~/.kde/env/start-gpg-agent.sh.
> and I set
>
> use-agent
>
> in my ~/.gnupg/gpg.conf
>
> I'm not seeing a place that defines what the default values are for
> the gpg-agent. I wanted to change the default TTL for a passphrase so
> I said
>
> default-cache-ttl 6000
See my example above.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL:
From gpg2.20.maniams at dfgh.net Wed May 6 19:53:41 2009
From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net)
Date: Wed, 6 May 2009 21:53:41 +0400
Subject: Use GPG to create encrypted files readable by PGP
Message-ID: <5313cd090905061053n5f023627u63140ab58ee54c3@mail.gmail.com>
Dear Members :
Could you (or the list ) help me with the following :
- I have an source xl file - say something dot xls
- I wish to encrypt this and the recipient is say Mr. Y
- I wish to have an encrypted result file that is recognized and readable by
Mr. Y using PGP
- A command line (that assumes the following ) would be of great help
Source file : something.xls
Source directory : c:\somewhere\
Result requested : something.xls.pgp -> file that can be decrypted by
PGP
Result directory : c:\somewhere\
recipient : Mr. Y. :
I have his pub key on my ring.
I trust Mr. Y (in real life I have verified his e
mail etc).
But Mr. Y's pub key on my key ring may or
_may NOT_ have trusted signatures / trust levels etc
on the key.
My System : win XP
My knowledge level: I can open the command prompt and type..report back
error messages etc
thanks in advance
Best regards
maniams
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From John at Mozilla-Enigmail.org Wed May 6 22:06:38 2009
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Wed, 06 May 2009 15:06:38 -0500
Subject: Use GPG to create encrypted files readable by PGP
In-Reply-To: <5313cd090905061053n5f023627u63140ab58ee54c3@mail.gmail.com>
References: <5313cd090905061053n5f023627u63140ab58ee54c3@mail.gmail.com>
Message-ID: <4A01EDCE.9090809@Mozilla-Enigmail.org>
gpg2.20.maniams at dfgh.net wrote:
> Dear Members :
> Could you (or the list ) help me with the following :
> - I have an source xl file - say something dot xls
> - I wish to encrypt this and the recipient is say Mr. Y
> - I wish to have an encrypted result file that is recognized and
> readable by Mr. Y using PGP
> - A command line (that assumes the following ) would be of great help
>
> Source file : something.xls
> Source directory : c:\somewhere\
> Result requested : something.xls.pgp ->
> file that can be decrypted by PGP
> Result directory : c:\somewhere\
> recipient : Mr. Y. :
> I have his pub key on my ring.
> I trust Mr. Y (in real life I have verified his e mail etc).
> But Mr. Y's pub key on my key ring may or
> _may NOT_ have trusted signatures / trust levels etc on the key.
cd c:\somewhere
gpg --trust-model always --pgp8 -r -o something.xls.pgp
-e something.xls
This wraps in the email. In a CMD window you would just type it on one
line.
--trust-model always says to trust the key(s) anyway
--pgp8 is the most recent. There are also --pgp7, --pgp6, and --pgp2
options.
-r sets the encryption _r_ecipient
--
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 678 bytes
Desc: OpenPGP digital signature
URL:
From gpg2.20.maniams at dfgh.net Thu May 7 07:12:24 2009
From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net)
Date: Thu, 7 May 2009 09:12:24 +0400
Subject: Use GPG to create encrypted files readable by PGP
Message-ID: <5313cd090905062212h2e1b4d94qf165d479f590b463@mail.gmail.com>
On Thu, May 7, 2009 at 12:06 AM, John Clizbe - John at Mozilla-Enigmail.org
wrote:
> gpg2.20.maniams at dfgh.net wrote:
> > Dear Members :
> > Could you (or the list ) help me with the following :
> > - I have an source xl file - say something dot xls
> > - I wish to encrypt this and the recipient is say Mr. Y
> > - I wish to have an encrypted result file that is recognized and
> > readable by Mr. Y using PGP
> > - A command line (that assumes the following ) would be of great help
> >
> > Source file : something.xls
> > Source directory : c:\somewhere\
> > Result requested : something.xls.pgp ->
> > file that can be decrypted by PGP
> > Result directory : c:\somewhere\
> > recipient : Mr. Y. :
> > I have his pub key on my ring.
> > I trust Mr. Y (in real life I have verified his e mail etc).
> > But Mr. Y's pub key on my key ring may or
> > _may NOT_ have trusted signatures / trust levels etc on the key.
>
> cd c:\somewhere
>
> gpg --trust-model always --pgp8 -r -o something.xls.pgp
> -e something.xls
>
> This wraps in the email. In a CMD window you would just type it on one
> line.
>
> --trust-model always says to trust the key(s) anyway
>
> --pgp8 is the most recent. There are also --pgp7, --pgp6, and --pgp2
> options.
>
> -r sets the encryption _r_ecipient
>
>
> --
> John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
> You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
> mailto:pgp-public-keys at gingerbear.net?subject=HELP
>
Thanks a ton. That was an amazing reply.
It works for me
May I add a note for other novices : The file name should not contain
spaces. if it did try using " -> quotes to wrap the file name
regards
subu
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From gpg2.20.maniams at dfgh.net Thu May 7 07:20:23 2009
From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net)
Date: Thu, 7 May 2009 09:20:23 +0400
Subject: Can GPG 1.4.9 be used for commercial purposes ?
Message-ID: <5313cd090905062220w595461e1s49a4c3ab5d39a4ad@mail.gmail.com>
Dear Members
Can GPG 1.4.9 be used for commercial purposes ? like sending company files
to a recepient ?
regards
subu
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rjh at sixdemonbag.org Thu May 7 07:45:43 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 07 May 2009 01:45:43 -0400
Subject: Can GPG 1.4.9 be used for commercial purposes ?
In-Reply-To: <5313cd090905062220w595461e1s49a4c3ab5d39a4ad@mail.gmail.com>
References: <5313cd090905062220w595461e1s49a4c3ab5d39a4ad@mail.gmail.com>
Message-ID: <4A027587.7000903@sixdemonbag.org>
gpg2.20.maniams at dfgh.net wrote:
> Can GPG 1.4.9 be used for commercial purposes ? like sending company
> files to a recepient ?
Yes. GnuPG places no restrictions of any kind on how the program may be
used.
From gpg2.20.maniams at dfgh.net Thu May 7 07:19:10 2009
From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net)
Date: Thu, 7 May 2009 09:19:10 +0400
Subject: How to import a key from GPG 1.4.9 to PGP ?
Message-ID: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com>
Dear List
How to import a key pair (my own secret and public keys) from GPG 1.4.9 to
PGP 6.5 ?
Command line help preferred.
If not possible help using some GPG graphical interface please
I'm Using a win XP machine
thanks in advance
Regards
subu
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From faramir.cl at gmail.com Thu May 7 08:01:46 2009
From: faramir.cl at gmail.com (Faramir)
Date: Thu, 07 May 2009 02:01:46 -0400
Subject: Can GPG 1.4.9 be used for commercial purposes ?
In-Reply-To: <5313cd090905062220w595461e1s49a4c3ab5d39a4ad@mail.gmail.com>
References: <5313cd090905062220w595461e1s49a4c3ab5d39a4ad@mail.gmail.com>
Message-ID: <4A02794A.8090406@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
gpg2.20.maniams at dfgh.net escribi?:
> Dear Members
>
> Can GPG 1.4.9 be used for commercial purposes ? like sending company
> files to a recepient ?
Yes, it's usage it's free, for individuals and enterprises...
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJKAnlJAAoJEMV4f6PvczxALiMH/25Hwln/3+Qp4OC4x+26oXBP
iwp7Tq//8sS379XGxh3bUTBhDkFRv3+X4fsMz30fFgXCg8OgMvhqLXA5ngO8ghQb
iqtsDNRFLRBSD79efL7XillSHVEZ/8oVUJvEML9kQ3xPU2JYmSW2mtBzRI4qLE6B
/t8mW/WO13EPBrfSyxRDnWBAuHiRfZFqJ5Uqzu/7TEOKmvhnV+bpV+cNSGH9G0re
lY2nsEYeS2oVk2XcJrby0jdoWBjul/pBlbhmnsjKXRLEYfZFxeKpgxMSgQLWlk8T
uTtFXa4+epRTIZVxGrt/vfhWAJyKoLabOCt5LJ7crdDqOxd3HjmiGJl+RDj/Ftc=
=btfQ
-----END PGP SIGNATURE-----
From rjh at sixdemonbag.org Thu May 7 08:45:02 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 07 May 2009 02:45:02 -0400
Subject: How to import a key from GPG 1.4.9 to PGP ?
In-Reply-To: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com>
References: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com>
Message-ID: <4A02836E.3040204@sixdemonbag.org>
gpg2.20.maniams at dfgh.net wrote:
> How to import a key pair (my own secret and public keys) from GPG 1.4.9
> to PGP 6.5 ?
This is generally not worth doing. It can be done, but it is not
recommended.
Is there any possibility of installing PGP 9.x on your XP machine instead?
From wk at gnupg.org Thu May 7 08:47:33 2009
From: wk at gnupg.org (Werner Koch)
Date: Thu, 07 May 2009 08:47:33 +0200
Subject: problems with http://www.gnupg.org
In-Reply-To: <4A015B74.6000603@christiantena.net> (subs@christiantena.net's
message of "Wed, 06 May 2009 10:42:12 +0100")
References: <4A009880.8090807@christiantena.net>
<4A00BC33.5090302@Mozilla-Enigmail.org>
<4A015B74.6000603@christiantena.net>
Message-ID: <87zldp4dfe.fsf@wheatstone.g10code.de>
On Wed, 6 May 2009 11:42, subs at christiantena.net said:
> I don't remember where or what linked to http://www.gnupg.org/docs.html
> maybe it's related to this "bug"
> https://bugs.g10code.com/gnupg/issue33
If you look at this bug report it tells that this is a wrong URL and has
been fixed.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
From faramir.cl at gmail.com Thu May 7 08:19:07 2009
From: faramir.cl at gmail.com (Faramir)
Date: Thu, 07 May 2009 02:19:07 -0400
Subject: How to import a key from GPG 1.4.9 to PGP ?
In-Reply-To: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com>
References: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com>
Message-ID: <4A027D5B.5050009@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
gpg2.20.maniams at dfgh.net escribi?:
> Dear List
>
>
> How to import a key pair (my own secret and public keys) from GPG 1.4.9
> to PGP 6.5 ?
For what I have read in this list, I think that version of PGP is very
old, and can cause problems about compatibility... But wait for other
replies, maybe it can be done safely.
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJKAn1bAAoJEMV4f6PvczxAW7gH+wSRn+mjpH0cYN85yh6vpoLX
JIQfOmoFQBL98i3pyCO/CWDeKpWtnn2SLgbOjYvI0H19EAzki5NfUDgvt2mpcP2H
v1At8RhDQntrqm7IwVGjPJ6gfK2Obo8+3G3FKw/BxVRgjM3bJDIzG7v+gWOh3X8k
K0Mft/JWtmU28wARuQO94O7f8sfOonetSsKYL7cpsQnP0nJwwe5sJvar4EoSiodC
sF6F7Exk24IzwIUN2qYyyUtpgUvXG539+Zch6M/HYBZux6q4C46fQfe8dT/e4h71
cu0eRzMVLZVX9tM5CY0g5lxqrp6s+GSz9bNzQiuGLAqp9roz6wnm/DqfbXj3EJA=
=YPIb
-----END PGP SIGNATURE-----
From joelcsalomon at gmail.com Thu May 7 16:43:44 2009
From: joelcsalomon at gmail.com (Joel C. Salomon)
Date: Thu, 07 May 2009 10:43:44 -0400
Subject: How to 'un-sign' a key?
Message-ID: <4A02F3A0.2030308@gmail.com>
Folks,
I foolishly signed a key I had not verified well, and the signed version
is on a keyserver. How can I unsign it?
I have tried the following (changing the key ID to 0xDEADBEEF):
> C:\Users\chesky>"c:\Program Files\GNU\GnuPG\gpg.exe" --edit-key 0xDEADBEEF
> gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
>
> pub 4096R/DEADBEEF created: 2008-08-27 expires: 2010-08-27 usage: SCEA
> trust: undefined validity: full
> [ full ] (1). Mister Magoo
>
> Command> revsig
> You have signed these user IDs on key DEADBEEF:
> Mister Magoo
That?s not all that?s supposed to happen, is it?
?Joel Salomon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL:
From joelcsalomon at gmail.com Thu May 7 16:50:06 2009
From: joelcsalomon at gmail.com (Joel C. Salomon)
Date: Thu, 07 May 2009 10:50:06 -0400
Subject: How to 'un-sign' a key?
In-Reply-To: <4A02F3A0.2030308@gmail.com>
References: <4A02F3A0.2030308@gmail.com>
Message-ID: <4A02F51E.9040408@gmail.com>
Joel C. Salomon wrote:
> I foolishly signed a key I had not verified well, and the signed version
> is on a keyserver. How can I unsign it?
>
> I have tried the following (changing the key ID to 0xDEADBEEF):
I tried the command again; not sure why I got a different result:
> C:\Users\chesky>"c:\Program Files\GNU\GnuPG\gpg.exe" --edit-key 0xDEADBEEF
> gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
>
> pub 4096R/DEADBEEF created: 2008-08-27 expires: 2010-08-27 usage: SCEA
> trust: undefined validity: full
> [ full ] (1). Mister Magoo
>
> Command> revsig
> You have signed these user IDs on key DEADBEEF:
> Mister Magoo
> signed by your key 8C6CA66E on 2009-02-10
>
> user ID: "Mister Magoo "
> signed by your key 8C6CA66E on 2009-02-10
> Create a revocation certificate for this signature? (y/N) y
> You are about to revoke these signatures:
> Mister Magoo
> signed by your key 8C6CA66E on 2009-02-10
> Really create the revocation certificates? (y/N) y
> Please select the reason for the revocation:
> 0 = No reason specified
> 4 = User ID is no longer valid
> Q = Cancel
> Your decision? 0
> Enter an optional description; end it with an empty line:
> > Key was insufficiently verified before signing.
> >
> Reason for revocation: No reason specified
> Key was insufficiently verified before signing.
> Is this okay? (y/N) y
>
> You need a passphrase to unlock the secret key for
> user: "Joel C. Salomon "
> 1024-bit DSA key, ID 8C6CA66E, created 2009-02-05
>
> pub 4096R/DEADBEEF created: 2008-08-27 expires: 2010-08-27 usage: SCEA
> trust: undefined validity: full
> [ full ] (1). Mister Magoo
>
> Command>
Okay, now what do I do?
?Joel Salomon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL:
From mail at 404not-found.de Thu May 7 17:31:02 2009
From: mail at 404not-found.de (Raimar Sandner)
Date: Thu, 7 May 2009 17:31:02 +0200
Subject: How to 'un-sign' a key?
In-Reply-To: <4A02F51E.9040408@gmail.com>
References: <4A02F3A0.2030308@gmail.com> <4A02F51E.9040408@gmail.com>
Message-ID: <200905071731.09839.mail@404not-found.de>
On Thursday 07 May 2009 16:50:06 Joel C. Salomon wrote:
> Joel C. Salomon wrote:
> > I foolishly signed a key I had not verified well, and the signed version
> > is on a keyserver. How can I unsign it?
> >
> > I have tried the following (changing the key ID to 0xDEADBEEF):
>
>
>
> I tried the command again; not sure why I got a different result:
> > C:\Users\chesky>"c:\Program Files\GNU\GnuPG\gpg.exe" --edit-key
> > 0xDEADBEEF gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software
> > Foundation, Inc. This is free software: you are free to change and
> > redistribute it. There is NO WARRANTY, to the extent permitted by law.
> >
> >
> > pub 4096R/DEADBEEF created: 2008-08-27 expires: 2010-08-27 usage:
> > SCEA trust: undefined validity: full
> > [ full ] (1). Mister Magoo
> >
> > Command> revsig
> > You have signed these user IDs on key DEADBEEF:
> > Mister Magoo
> > signed by your key 8C6CA66E on 2009-02-10
> >
> > user ID: "Mister Magoo "
> > signed by your key 8C6CA66E on 2009-02-10
> > Create a revocation certificate for this signature? (y/N) y
> > You are about to revoke these signatures:
> > Mister Magoo
> > signed by your key 8C6CA66E on 2009-02-10
> > Really create the revocation certificates? (y/N) y
> > Please select the reason for the revocation:
> > 0 = No reason specified
> > 4 = User ID is no longer valid
> > Q = Cancel
> > Your decision? 0
> >
> > Enter an optional description; end it with an empty line:
> > > Key was insufficiently verified before signing.
> >
> > Reason for revocation: No reason specified
> > Key was insufficiently verified before signing.
> > Is this okay? (y/N) y
> >
> > You need a passphrase to unlock the secret key for
> > user: "Joel C. Salomon "
> > 1024-bit DSA key, ID 8C6CA66E, created 2009-02-05
>
>
>
> > pub 4096R/DEADBEEF created: 2008-08-27 expires: 2010-08-27 usage:
> > SCEA trust: undefined validity: full
> > [ full ] (1). Mister Magoo
> >
> > Command>
>
> Okay, now what do I do?
>
You type "save" to save your changes and upload the public key to a keyserver:
gpg --send-keys DEADBEEF
Raimar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From steveo at syslang.net Thu May 7 17:39:13 2009
From: steveo at syslang.net (Steven W. Orr)
Date: Thu, 7 May 2009 11:39:13 -0400 (EDT)
Subject: How to import a key from GPG 1.4.9 to PGP ?
In-Reply-To: <4A02836E.3040204@sixdemonbag.org>
References: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com>
<4A02836E.3040204@sixdemonbag.org>
Message-ID:
On Thursday, May 7th 2009 at 02:45 -0000, quoth Robert J. Hansen:
=>gpg2.20.maniams at dfgh.net wrote:
=>> How to import a key pair (my own secret and public keys) from GPG 1.4.9
=>> to PGP 6.5 ?
=>
=>This is generally not worth doing. It can be done, but it is not
=>recommended.
=>
=>Is there any possibility of installing PGP 9.x on your XP machine instead?
=>
Great. I'd love to know what's going on here. I tried to read Faramir's
message and I get a command failure.
To: "gnupg-users at gnupg.org"
Subject: Re: How to import a key from GPG 1.4.9 to PGP ?
----------------------------------------------------------------------------
/home/steveo/libexec/ppf/ppf_verify: pgp command failed"
gpg: Signature made Thu May 7 02:19:07 2009 EDT using RSA key ID EF733C40
gpg: BAD signature from "Javier Fern
532 > gpg2 --list-keys -v 0x82121A454319410E
gpg: using PGP trust model
pub 2048R/4319410E 2008-04-14
uid Javier Fernndez Almirall (aka Faramir.cl)
uid Faramir
uid [ revoked] Galdhrim (Javier)
uid Javier Fernndez Almirall (GSWoT:CL68)
uid Faramir.cl (It's a nickname, of course)
uid Javier Fernndez Almirall (CAcert Assurer)
sub 2048R/1771E69C 2008-04-14 [revoked: 2008-05-16]
sub 2048R/2E6CD89E 2008-04-15
sub 2048R/EF733C40 2008-05-16
The message looked like this:
X-Enigmail-Version: 0.95.7
OpenPGP: id=4319410E;
url=http://tinyurl.com/0x4319410E
X-BeenThere: gnupg-users at gnupg.org
X-Mailman-Version: 2.1.10b1
Precedence: list
List-Id: Help and discussion among users of GnuPG
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: gnupg-users-bounces at gnupg.org
Errors-To: gnupg-users-bounces at gnupg.org
Status: RO
X-Status:
X-Keywords:
X-UID: 2
LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEEyNTYKCmdwZzIuMjAu
bWFuaWFtc0BkZmdoLm5ldCBlc2NyaWJpw7M6Cj4gRGVhciBMaXN0Cj4gCj4gCj4gSG93IHRvIGlt
cG9ydCBhIGtleSBwYWlyIChteSBvd24gc2VjcmV0IGFuZCBwdWJsaWMga2V5cykgZnJvbSBHUEcg
MS40LjkKPiB0byBQR1AgNi41ID8KCiAgRm9yIHdoYXQgSSBoYXZlIHJlYWQgaW4gdGhpcyBsaXN0
LCBJIHRoaW5rIHRoYXQgdmVyc2lvbiBvZiBQR1AgaXMgdmVyeQpvbGQsIGFuZCBjYW4gY2F1c2Ug
cHJvYmxlbXMgYWJvdXQgY29tcGF0aWJpbGl0eS4uLiBCdXQgd2FpdCBmb3Igb3RoZXIKcmVwbGll
cywgbWF5YmUgaXQgY2FuIGJlIGRvbmUgc2FmZWx5LgoKICBCZXN0IFJlZ2FyZHMKLS0tLS1CRUdJ
TiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC45IChNaW5nVzMyKQpDb21t
ZW50OiBVc2luZyBHbnVQRyB3aXRoIE1vemlsbGEgLSBodHRwOi8vZW5pZ21haWwubW96ZGV2Lm9y
ZwoKaVFFY0JBRUJDQUFHQlFKS0FuMWJBQW9KRU1WNGY2UHZjenhBVzdnSCt3U1JuK21qcEgwY1lO
ODV5aDZ2cG9MWApKSVFmT21vRlFCTDk4aTNweUNPL0NXRGVLcFd0bm4yU0xnYk9qWXZJMEgxOUVB
emtpNU5mVURndnQybXBjUDJICnYxQXQ4UmhEUW50cnFtN0l3VkdqUEo2Z2ZLMk9ibzgrM0czRkt3
L0J4VlJnak0zYkpESXpHN3YrZ1dPaDNYOGsKSzBNZnQvSld0bVUyOHdBUnVRTzk0TzdmOHNmT29u
ZXRTc0tZTDdjcHNRblAwbkp3d2U1c0p2YXI0RW9TaW9kQwpzRjZGN0V4azI0SXp3SVVOMnFZeXlV
dHBnVXZYRzUzOStaY2g2TS9IWUJadXg2cTRDNDZmUWZlOGRUL2U0aDcxCmN1MGVSek1WTFpWWDl0
TTVDWTBnNWx4cXJwNnMrR1N6OWJOelFpdUdMQXFwOXJvejZ3bm0vRHFmYlhqM0VKQT0KPVlQSWIK
LS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fXwpHbnVwZy11c2VycyBtYWlsaW5nIGxpc3QKR251cGctdXNlcnNA
Z251cGcub3JnCmh0dHA6Ly9saXN0cy5nbnVwZy5vcmcvbWFpbG1hbi9saXN0aW5mby9nbnVwZy11
c2Vycwo=
Is it me?
--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
From bahamutzero8825 at gmail.com Thu May 7 17:17:31 2009
From: bahamutzero8825 at gmail.com (Andrew Berg)
Date: Thu, 07 May 2009 10:17:31 -0500
Subject: How to 'un-sign' a key?
In-Reply-To: <4A02F3A0.2030308@gmail.com>
References: <4A02F3A0.2030308@gmail.com>
Message-ID: <4A02FB8B.7000806@gmail.com>
Joel C. Salomon wrote:
> I foolishly signed a key I had not verified well, and the signed version
> is on a keyserver. How can I unsign it?
>
Go back in time.
Seriously, there's nothing you can do about it once it's on a keyserver.
From jmoore3rd at bellsouth.net Thu May 7 18:36:46 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Thu, 07 May 2009 12:36:46 -0400
Subject: How to 'un-sign' a key?
In-Reply-To: <4A02F3A0.2030308@gmail.com>
References: <4A02F3A0.2030308@gmail.com>
Message-ID: <4A030E1E.60609@bellsouth.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Joel C. Salomon wrote:
> Folks,
>
> I foolishly signed a key I had not verified well, and the signed version
> is on a keyserver. How can I unsign it?
Select the Key with the offending Signature and revoke the Signature.
the command is --revsig form the Edit Key prompt.
Promptly disseminate the Key with the Sig Revoked via Key Servers and
perhaps a direct email to all correspondents. The 'trick' will be to
get the Key Owner to re-Import His Key with the [revoked] flag on Your
Sig. :-\
JOHN ;)
Timestamp: Thursday 07 May 2009, 12:36 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4987: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx
iQEcBAEBCgAGBQJKAw4cAAoJEBCGy9eAtCsPdtwIAIFITPdWscLfZrAwo8C+RKRF
K+89j6hDze1oP3U3xKMsn1n+Q025aoFs8pUalA9ziHKurIrV8tzt5vk+hRWjlx8Z
8JoibmSS/dkEnSN4EL+4VNzCw7hRJofNVqIDYTP3Oa4Oo5JOLR+Lt1SLWYMkHh2R
wdQATUmW+zaK5e9e6e7EhGKuLTi64GsGDSUb6BBMQzEjiWbzcAVJs34IVi/p75pf
pn9bNJDm/Poc0vYhtVTaoMIvw9lflCUHS+MNz6jQhIYfUIqhVugUEI9jGdGBimwM
XvyVNBx/xH7yKDQ9pEsc+4+Rh5pU5WqxASfpsRzngAyZGzDPceE6w2wFaTu1JKE=
=lVmM
-----END PGP SIGNATURE-----
From wk at gnupg.org Thu May 7 19:48:35 2009
From: wk at gnupg.org (Werner Koch)
Date: Thu, 07 May 2009 19:48:35 +0200
Subject: How to import a key from GPG 1.4.9 to PGP ?
In-Reply-To: (Steven
W. Orr's message of "Thu, 7 May 2009 11:39:13 -0400 (EDT)")
References: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com>
<4A02836E.3040204@sixdemonbag.org>
Message-ID: <87eiv07qj0.fsf@wheatstone.g10code.de>
On Thu, 7 May 2009 17:39, steveo at syslang.net said:
> /home/steveo/libexec/ppf/ppf_verify: pgp command failed"
I don't know this tool.
> gpg: Signature made Thu May 7 02:19:07 2009 EDT using RSA key ID EF733C40
> gpg: BAD signature from "Javier Fern
I just did a verify:
$ gpg --verify -v x
gpg: armor header: Hash: SHA256
gpg: armor header: Version: GnuPG v1.4.9 (MingW32)
gpg: armor header: Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
[..]
gpg: Good signature from "Javier Fern.%G???.%@dez Almirall (aka Faramir.cl)"
[...]
gpg: textmode signature, digest algorithm SHA256
and it works fine. Maybe the tool can't cope with the base64 encoded
clearsigned message:
> The message looked like this:
> Content-Transfer-Encoding: base64
[..]
> LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEEyNTYKCmdwZzIuMjAu
> bWFuaWFtc0BkZmdoLm5ldCBlc2NyaWJpw7M6Cj4gRGVhciBMaXN0Cj4gCj4gCj4gSG93IHRvIGlt
You need to do something like
mimencode -u | gpg --verify
However the mail reader usually does this for you.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
From cathy.smith at pnl.gov Thu May 7 20:27:23 2009
From: cathy.smith at pnl.gov (Smith, Cathy)
Date: Thu, 7 May 2009 11:27:23 -0700
Subject: Selecting cipher to generate a key pair
In-Reply-To: <49FB8827.1070102@sixdemonbag.org>
References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com>
<49FA76FD.4040501@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov>
<49FB7E5E.9060101@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov>
<49FB8404.7000600@sixdemonbag.org>
<255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov>
<49FB8827.1070102@sixdemonbag.org>
Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAAE3@EMAIL03.pnl.gov>
I wanted to provide closure on this thread. The customer was able to
accept the public key that I generated using this method.
I learned from the customer yesterday that they are using Bouncy Castle,
bcpg v. 1.33.
Thanks vey much for your help.
Regards,
Cathy
---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith at pnl.gov
-----Original Message-----
From: Robert J. Hansen [mailto:rjh at sixdemonbag.org]
Sent: Friday, May 01, 2009 4:39 PM
To: Smith, Cathy
Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr
Subject: Re: Selecting cipher to generate a key pair
Smith, Cathy wrote:
> The customer said they have a proprietary implementation that only
> supports Blowfish or 3DES for the key. I'm still trying to find out
> exactly what that means.
Okay, that much makes sense now.
I would suggest adding:
cipher-algo 3DES
... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and
not one I'd generally recommend; however, the downsides are pretty
minimal. Then encrypt a message using their public key and send it on
to them. If they can read it, great. If they can't, then the problem
is their proprietary implementation of OpenPGP is shoddy.
Incidentally, if your customer is a telecommunications firm, I think I
may know the implementation they're using and some of its more egregious
misfeatures. Other than that one and PGP Corporation's offering,
though, I have no experience with proprietary OpenPGP offerings.
From christoph.anton.mitterer at physik.uni-muenchen.de Fri May 8 01:17:33 2009
From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer)
Date: Fri, 08 May 2009 01:17:33 +0200
Subject: Use other hash than SHA-1
In-Reply-To: <5566128E-F02F-4AB4-B53C-97EC117AF688@jabberwocky.com>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<20090503121703.GA10433@ruderich.org>
<742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
<1241458805.4024.8.camel@fermat.scientia.net>
<1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com>
<1241558474.8226.8.camel@fermat.scientia.net>
<5566128E-F02F-4AB4-B53C-97EC117AF688@jabberwocky.com>
Message-ID: <1241738253.20039.5.camel@fermat.scientia.net>
On Tue, 2009-05-05 at 22:16 -0400, David Shaw wrote:
> > I'm not sure if this leads to the same discussion that we had some
> > time
> > ago on the WG-list (about explicitly revoking previous self-sigs),...
> > but if a key has self-sigs with different hash-algos,... does this
> > "allow" downgrad-attacks or that like?
>
> It depends on the attack. What is the attack you are concerned about?
Nothing specific,... it was my question, whether there could be any
attacks,.. using the fact, that an older self-sig with "weaker" hash
algo is available.
> > Even when they see, that the self-sig with the "better" algo, has a
> > newer creation date?
> > Would consider this critical :/
>
> They mustn't do this. They can't, really. It would enable a pretty
> trivial DoS if I could make up a bogus self-sig with some hash number
> that isn't even allocated yet, but a later date, and send it to a
> keyserver to be attached to my victim key. GPG must treat any
> signature that does not verify as irrelevant.
Oops,.. of course you're right,.. but then it's possible,... that e.g.
the newer self-sig (with the newer hash algo) contains e.g. a key
revocation, or something else security relevant (e.g. important new
policy).
As the older signature is not revoked,.. and the newer is not understood
(thus ignored),... this could lead to problems, or am I wrong?
Cheers,
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3387 bytes
Desc: not available
URL:
From dshaw at jabberwocky.com Fri May 8 02:09:31 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 7 May 2009 20:09:31 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <1241738253.20039.5.camel@fermat.scientia.net>
References: <20090502102545.GA17546@ruderich.org>
<8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com>
<20090503121703.GA10433@ruderich.org>
<742209AC-3884-468C-AC30-63E250335682@jabberwocky.com>
<1241458805.4024.8.camel@fermat.scientia.net>
<1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com>
<1241558474.8226.8.camel@fermat.scientia.net>
<5566128E-F02F-4AB4-B53C-97EC117AF688@jabberwocky.com>
<1241738253.20039.5.camel@fermat.scientia.net>
Message-ID: <46C1AAF0-891F-4743-A630-C28924223438@jabberwocky.com>
On May 7, 2009, at 7:17 PM, Christoph Anton Mitterer wrote:
> On Tue, 2009-05-05 at 22:16 -0400, David Shaw wrote:
>>> I'm not sure if this leads to the same discussion that we had some
>>> time
>>> ago on the WG-list (about explicitly revoking previous self-
>>> sigs),...
>>> but if a key has self-sigs with different hash-algos,... does this
>>> "allow" downgrad-attacks or that like?
>>
>> It depends on the attack. What is the attack you are concerned
>> about?
>
> Nothing specific,... it was my question, whether there could be any
> attacks,.. using the fact, that an older self-sig with "weaker" hash
> algo is available.
It depends on what the attack is :)
One fear that I've seen talked about for SHA-1 is that an attacker can
create a duplicate document such that if you signed document or key A,
they could come up with a document or key B that your signature would
equally apply to. That fear is more than a little overblown. Even
MD5 hasn't been broken to that extent.
But for the sake of argument, let's say that this fear is realistic.
In that case, it doesn't make much of a difference whether you re-sign
or not. If you do re-sign, the attacker can still get the earlier
signature from a keyserver. Even if you revoke it, the old signature
is still there.
>>> Even when they see, that the self-sig with the "better" algo, has a
>>> newer creation date?
>>> Would consider this critical :/
>>
>> They mustn't do this. They can't, really. It would enable a pretty
>> trivial DoS if I could make up a bogus self-sig with some hash number
>> that isn't even allocated yet, but a later date, and send it to a
>> keyserver to be attached to my victim key. GPG must treat any
>> signature that does not verify as irrelevant.
>
> Oops,.. of course you're right,.. but then it's possible,... that e.g.
> the newer self-sig (with the newer hash algo) contains e.g. a key
> revocation, or something else security relevant (e.g. important new
> policy).
> As the older signature is not revoked,.. and the newer is not
> understood
> (thus ignored),... this could lead to problems, or am I wrong?
No, you are right. When making an important statement about your key,
and you want to make it with an algorithm that doesn't have widespread
support yet, you do need to take into account that not everyone might
be able to understand your new statement. To them, it would be as if
you had said nothing at all.
A key revocation is a perfect example of this. You could end up with
part of the community thinking you revoked your key and part thinking
you did nothing. Personally, if I was revoking a key, I'd use
whatever hash algorithm I used for my self-sigs (using the logic that
anyone who could use my key at all would see it was revoked, and that
I don't particularly care if people who can't use my key at all
(because they don't know that has) see if it is revoked or not).
David
From bahamutzero8825 at gmail.com Fri May 8 08:08:16 2009
From: bahamutzero8825 at gmail.com (Andrew Berg)
Date: Fri, 08 May 2009 01:08:16 -0500
Subject: How to 'un-sign' a key?
In-Reply-To: <4A030E1E.60609@bellsouth.net>
References: <4A02F3A0.2030308@gmail.com> <4A030E1E.60609@bellsouth.net>
Message-ID: <4A03CC50.3030809@gmail.com>
John W. Moore III wrote:
> Joel C. Salomon wrote:
> > Folks,
>
> > I foolishly signed a key I had not verified well, and the signed version
> > is on a keyserver. How can I unsign it?
>
> Select the Key with the offending Signature and revoke the Signature.
>
> the command is --revsig form the Edit Key prompt.
>
> Promptly disseminate the Key with the Sig Revoked via Key Servers and
> perhaps a direct email to all correspondents. The 'trick' will be to
> get the Key Owner to re-Import His Key with the [revoked] flag on Your
> Sig. :-\
I feel silly. I was thinking of something else for some reason and I
read the message too quickly. :-P
--
Key ID: 0xF88E034060A78FCB
Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB
Windows NT 6.0.6001.18226 | GPG 1.4.9 | Thunderbird 2.0.0.21 | Enigmail
0.95.7
From mail at 404not-found.de Fri May 8 09:14:27 2009
From: mail at 404not-found.de (Raimar Sandner)
Date: Fri, 8 May 2009 09:14:27 +0200
Subject: Use other hash than SHA-1
In-Reply-To: <46C1AAF0-891F-4743-A630-C28924223438@jabberwocky.com>
References: <20090502102545.GA17546@ruderich.org>
<1241738253.20039.5.camel@fermat.scientia.net>
<46C1AAF0-891F-4743-A630-C28924223438@jabberwocky.com>
Message-ID: <200905080914.38284.mail@404not-found.de>
On Friday 08 May 2009 02:09:31 David Shaw wrote:
> One fear that I've seen talked about for SHA-1 is that an attacker can
> create a duplicate document such that if you signed document or key A,
> they could come up with a document or key B that your signature would
> equally apply to. That fear is more than a little overblown. Even
> MD5 hasn't been broken to that extent.
http://eprint.iacr.org/2005/067.pdf
As far as I understand this paper, MD5 has been broken to that extent. For
SHA1 you're still right of course.
Raimar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From mail at 404not-found.de Fri May 8 09:26:29 2009
From: mail at 404not-found.de (Raimar Sandner)
Date: Fri, 8 May 2009 09:26:29 +0200
Subject: Use other hash than SHA-1
In-Reply-To: <200905080914.38284.mail@404not-found.de>
References: <20090502102545.GA17546@ruderich.org>
<46C1AAF0-891F-4743-A630-C28924223438@jabberwocky.com>
<200905080914.38284.mail@404not-found.de>
Message-ID: <200905080926.44699.mail@404not-found.de>
On Friday 08 May 2009 09:14:27 Raimar Sandner wrote:
> On Friday 08 May 2009 02:09:31 David Shaw wrote:
> > One fear that I've seen talked about for SHA-1 is that an attacker can
> > create a duplicate document such that if you signed document or key A,
> > they could come up with a document or key B that your signature would
> > equally apply to. That fear is more than a little overblown. Even
> > MD5 hasn't been broken to that extent.
>
> http://eprint.iacr.org/2005/067.pdf
>
> As far as I understand this paper, MD5 has been broken to that extent. For
> SHA1 you're still right of course.
http://eprint.iacr.org/2009/111.pdf
Sorry, this is the reference I meant... even more impressive :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From dshaw at jabberwocky.com Fri May 8 14:53:02 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 8 May 2009 08:53:02 -0400
Subject: Use other hash than SHA-1
In-Reply-To: <200905080926.44699.mail@404not-found.de>
References: <20090502102545.GA17546@ruderich.org>
<46C1AAF0-891F-4743-A630-C28924223438@jabberwocky.com>
<200905080914.38284.mail@404not-found.de>
<200905080926.44699.mail@404not-found.de>
Message-ID:
On May 8, 2009, at 3:26 AM, Raimar Sandner wrote:
> On Friday 08 May 2009 09:14:27 Raimar Sandner wrote:
>> On Friday 08 May 2009 02:09:31 David Shaw wrote:
>>> One fear that I've seen talked about for SHA-1 is that an attacker
>>> can
>>> create a duplicate document such that if you signed document or
>>> key A,
>>> they could come up with a document or key B that your signature
>>> would
>>> equally apply to. That fear is more than a little overblown. Even
>>> MD5 hasn't been broken to that extent.
>>
>> http://eprint.iacr.org/2005/067.pdf
>>
>> As far as I understand this paper, MD5 has been broken to that
>> extent. For
>> SHA1 you're still right of course.
>
> http://eprint.iacr.org/2009/111.pdf
>
> Sorry, this is the reference I meant... even more impressive :)
That's a different sort of attack. In the rogue CA attack, the
attackers generated both A *and* B themselves. They then arranged to
have A signed, and were then able to reveal B as if it had also been
signed (massive oversimplification, of course, as there was a huge
amount of work involved in even making that work, but the point here
is that the attackers generated both A and B themselves). It's a
collision attack. This attack (which again I must stress does not yet
exist for SHA-1) is one of the reasons why it's a good idea to switch
to SHA-256 for new signatures. That's just prudent.
There is no current attack, however, against any hash algorithm in
OpenPGP, that would allow an attacker to pick some arbitrary signature
out there and generate a key or document that hashes to the same
value. This is a preimage attack, either variant of which could be
used against OpenPGP, but neither of them currently exist - not in
MD5, and certainly not in SHA-1. This (lack of) an attack is why I
don't think people need to worry all that much about their existing
signatures that are out there.
David
From anotherrrr at gmail.com Wed May 6 12:11:27 2009
From: anotherrrr at gmail.com (Bob Yang)
Date: Wed, 6 May 2009 18:11:27 +0800
Subject: Cannot Decryption via UNIX shell script
Message-ID: <41db87800905060311t7f66e5c0o1638b01ec5a01781@mail.gmail.com>
Hi All,
I hit error when using the below script.
gpg -e "key" "file" <
From mix at awxcnx.de Thu May 7 11:34:20 2009
From: mix at awxcnx.de (Anonymous Remailer)
Date: Thu, 07 May 2009 11:34:20 +0200
Subject: delete bad UID from key on keyserver?
Message-ID:
Hi,
One of my email accounts is unusable so I deleted the UID from my key
and uploaded it to the keyserver. That accomplished nothing so now I
figured out I should of invalidated the UID and then uploaded it. I
can't do that now because I deleted the UID from my key.
I have to get rid of this email address from my key or people will
continue mailing me and I won't get the mails. Is there some way I can
delete this UID from my key on the keyserver. I figured to try to add
the identical UID back and then invalidate it and then upload the key
but before I screwup again I figured to ask here. Thank you.
From jnhemley at yahoo.com Fri May 8 16:37:31 2009
From: jnhemley at yahoo.com (jnhemley)
Date: Fri, 8 May 2009 07:37:31 -0700 (PDT)
Subject: GPG Confirmation
Message-ID: <23447277.post@talk.nabble.com>
I was given a new key to use with our partner for encryption. Previously, the
key was working fine. I removed all keys and then imported our key and then
the partner's key. I set trust to ultimate. The encryption works but I now
get a confirmation message.How can I get rid of this confirmation message so
I can batch my encryption ?
--
View this message in context: http://www.nabble.com/GPG-Confirmation-tp23447277p23447277.html
Sent from the GnuPG - User mailing list archive at Nabble.com.
From pmabie at gmail.com Fri May 8 21:16:30 2009
From: pmabie at gmail.com (Patrick Mabie)
Date: Fri, 08 May 2009 15:16:30 -0400
Subject: gpg: WARNING: standard input reopened
Message-ID: <4A04850E.7010203@gmail.com>
Hello
I was just wondering , can I fix this ?
RPM version 4.4.2.3
gnupg-1.4.5-14.x86_64
CentOS 5.3 x86_64
kernel : 2.6.18-128.1.10.el5
rpmbuild -bb Documents/Rpm/Spec/q7z-64.spec --sign
Generating signature: 1005
gpg: WARNING: standard input reopened
gpg: WARNING: standard input reopened
Have a good day!
Patrick.
From jmoore3rd at bellsouth.net Fri May 8 21:45:16 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Fri, 08 May 2009 15:45:16 -0400
Subject: delete bad UID from key on keyserver?
In-Reply-To:
References:
Message-ID: <4A048BCC.6060808@bellsouth.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Anonymous Remailer wrote:
> One of my email accounts is unusable so I deleted the UID from my key
> and uploaded it to the keyserver. That accomplished nothing so now I
> figured out I should of invalidated the UID and then uploaded it. I
> can't do that now because I deleted the UID from my key.
>
> I have to get rid of this email address from my key or people will
> continue mailing me and I won't get the mails. Is there some way I can
> delete this UID from my key on the keyserver. I figured to try to add
> the identical UID back and then invalidate it and then upload the key
> but before I screwup again I figured to ask here. Thank you.
Ahem........
Refresh Your Key from the Keyserver and then Revoke the UID which You
will have fetched from the Keyserver. Then Upload the Key with the
Revoked UID on it. Then Clean Your Key in Your Keyring and be prepared
to repeat having to deluid every time Your Key is either returned to You
signed because the revoked UID will forever remain on the Server.
For this reason many folks prefer to maintain a Listing on Big Lumber or
a Personal Web Page because only that way can You control exactly how
the Key is retrieved by Others.
HTH
JOHN ;)
Timestamp: Friday 08 May 2009, 15:44 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4995: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx
iQEcBAEBCgAGBQJKBIvJAAoJEBCGy9eAtCsP3HsH/2Gec8jz1JA5iPcABwckiT10
alEwOt/jHsLu5oB13+6loh16yB44iueIiOrZPRIChjOICNFSB17XyMggK4nUXBQl
PMmJZRraSwuzD1pjtWMmSUZ9HhreqvpmKd0usDFRu53KZLawuIYiLzvL0Vp4rakl
GNAdTNwSvcaE07JAgVNrIpegnXU04A0bCuyV1nDym06zjeJb4bVYlbpNoq+JG4gB
Wlas3Lo0eno/xKfgvzfeiWQTov3SrlApBDB/ikVfIPcEjdPMTdWTIQZ24GP1mCB8
lusK2QFDd64SFDko5Igx7AEzQAaEOOURLzoLJ9a3QAyn+3GEXkvZM4SQVDS6nxo=
=Sm8l
-----END PGP SIGNATURE-----
From John at Mozilla-Enigmail.org Fri May 8 21:54:02 2009
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Fri, 08 May 2009 14:54:02 -0500
Subject: delete bad UID from key on keyserver?
In-Reply-To:
References:
Message-ID: <4A048DDA.40405@Mozilla-Enigmail.org>
Anonymous Remailer wrote:
> Hi,
>
> One of my email accounts is unusable so I deleted the UID from my key
> and uploaded it to the keyserver. That accomplished nothing so now I
> figured out I should of invalidated the UID and then uploaded it. I
> can't do that now because I deleted the UID from my key.
You cannot delete information from the keyservers. This is by design.
> I have to get rid of this email address from my key or people will
> continue mailing me and I won't get the mails. Is there some way I
> can delete this UID from my key on the keyserver. I figured to try to
> add the identical UID back and then invalidate it and then upload the
> key but before I screwup again I figured to ask here. Thank you.
Do not try adding a new uid with the same email. That will give you two
copies of that address.
Refresh your key from a keyserver. This will restore the UID you thought
you could delete:
gpg --keyserver pool.sks-keyservers.net -refresh-keys 0xdecafbad
now use gpg to revoke the UID
gpg --edit-key 0xdecafbad
gpg displays a list of UIDs on the key. Enter the number of the UID you
wish to revoke. The list is redisplayed with an * next to the selected
one. now use the gpg command revuid to revoke:
Command> revuid
Really revoke this user ID? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
4 = User ID is no longer valid
Q = Cancel
(Probably you want to select 4 here)
Your decision? 4
Answer the passphrase prompt and 'save' to update your keyring with the
modified key. Now send the key with revoked UID to the keyservers
gpg --keyserver pool.sks-keyservers.net -send-keys 0xdecafbad
--
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 678 bytes
Desc: OpenPGP digital signature
URL:
From dshaw at jabberwocky.com Fri May 8 22:09:19 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 8 May 2009 16:09:19 -0400
Subject: gpg: WARNING: standard input reopened
In-Reply-To: <4A04850E.7010203@gmail.com>
References: <4A04850E.7010203@gmail.com>
Message-ID: <62F6C833-331C-403C-B8E8-EA6881716EC2@jabberwocky.com>
On May 8, 2009, at 3:16 PM, Patrick Mabie wrote:
> Hello
> I was just wondering , can I fix this ?
>
> RPM version 4.4.2.3
> gnupg-1.4.5-14.x86_64
> CentOS 5.3 x86_64
> kernel : 2.6.18-128.1.10.el5
>
> rpmbuild -bb Documents/Rpm/Spec/q7z-64.spec --sign
>
> Generating signature: 1005
> gpg: WARNING: standard input reopened
> gpg: WARNING: standard input reopened
It's a old bug in RPM, but it was fixed a long time ago.
https://bugzilla.redhat.com/show_bug.cgi?id=197602
The fix is to upgrade your version of RPM. In the meantime, you can
ignore the error. It's harmless in the RPM case.
David
From dshaw at jabberwocky.com Fri May 8 22:11:19 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 8 May 2009 16:11:19 -0400
Subject: GPG Confirmation
In-Reply-To: <23447277.post@talk.nabble.com>
References: <23447277.post@talk.nabble.com>
Message-ID:
On May 8, 2009, at 10:37 AM, jnhemley wrote:
>
> I was given a new key to use with our partner for encryption.
> Previously, the
> key was working fine. I removed all keys and then imported our key
> and then
> the partner's key. I set trust to ultimate. The encryption works but
> I now
> get a confirmation message.How can I get rid of this confirmation
> message so
> I can batch my encryption ?
You need to tell GPG that your partner's key is valid. To do this:
gpg -u my-key --lsign-key my-partner-key
Then set 'my-key' to ultimate trust if you haven't done that already.
David
From webmaster at felipe1982.com Sat May 9 07:54:33 2009
From: webmaster at felipe1982.com (Felipe Alvarez)
Date: Sat, 9 May 2009 15:54:33 +1000
Subject: Cannot Decryption via UNIX shell script
In-Reply-To: <41db87800905060311t7f66e5c0o1638b01ec5a01781@mail.gmail.com>
References: <41db87800905060311t7f66e5c0o1638b01ec5a01781@mail.gmail.com>
Message-ID: <200905091554.39133.webmaster@felipe1982.com>
On Wed, 6 May 2009 20:11:27 Bob Yang wrote:
> Hi All,
>
> I hit error when using the below script.
>
> gpg -e "key" "file" < yes
> EOF
>
> Error:
> It is NOT certain that the key belongs to the person named
> in the user ID. If you *really* know what you are doing,
> you may answer the next question with yes
>
> Use this key anyway?
>
> Does anyone come across this before?
>
> Thanks,
> Bob
You must sign that recipient's public key with your private key. Do this
only after verifying that the public key does indeed belong to the
intended recipeint. For example, don't blindly sign a key that says
bill.gates at microsoft.com is you are not sure that the key belongs to
Bill Gates. It may belong to "me" and I will have the private key to
decrypt any messages that you send (of course, I do not have an
email address at domain microsoft.com). Also, if you choose "file" (as
you have in your script) there is no need to provide standard input (as
you wrote <
From tspivey at pcdesk.net Sun May 10 14:52:21 2009
From: tspivey at pcdesk.net (Tyler Spivey)
Date: Sun, 10 May 2009 05:52:21 -0700
Subject: Problems changing hash algo for clearsign
Message-ID: <20090510125201.GA4531@arch1>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello. I'm trying to make any message I clearsign
have a hash of SHA256.
Here is what I've done so far:
I've added "personal-digest-preferences SHA256" to the end of my gpg.conf file. According
to the manpage, this should be enough; since the manpage states:
The most highly ranked digest algorithm in
this list is algo used when signing without encryption (e.g. --clearsign or
- --sign).
but if I gpg --clearsign a test file, the hash at the top says SHA1. I've verified that
My gpg 1.4.9 has sha256,
and I can force it with --digest-algo sha256.
What do I need to do to make it default to that on signs/clearsigns?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoGzfEACgkQTsjaYASMWKTWuQCfTKhFgEIolXpp3/E37XWzDtmZ
UUQAn2hDssNi9d1dGwMvlJ0ROkFcyci9
=WRan
-----END PGP SIGNATURE-----
From bob.henson at galen.org.uk Sun May 10 16:58:33 2009
From: bob.henson at galen.org.uk (Bob Henson)
Date: Sun, 10 May 2009 15:58:33 +0100
Subject: Problems changing hash algo for clearsign
In-Reply-To: <20090510125201.GA4531@arch1>
References: <20090510125201.GA4531@arch1>
Message-ID: <4A06EB99.8030903@galen.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tyler Spivey wrote:
> and I can force it with --digest-algo sha256.
Add just "digest-algo SHA256" (without the parentheses) to your gpg.conf
file.
Regards,
Bob
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJKBuuHAAoJEJ3GodtqGtFCgzwH+QF3fnU9tk1EpcEufwfzdZeW
X2sZm6AzRSdd1m+WB3mUQfl7sq1nACEgY/hTG7lQxYZ+P+YAgrKKpNEkKHweXR++
Ka7YmXX7oZOK5RIzwJAwxtDqCKQEM/VqXqybuTs8psGr9H+tobzqtBwx79bU1/u+
0mfouKz9NknqXWN/b2Ek1SWke2jTyHaQqxZ+6WJDgb1iy7c35pIb43SauwKGTMUc
JLIYR/q5aV1X1O614juiZYSIlrBpVySA2Kq6/eAHYKfRsTxaAK5/o7umASYBdSEf
3JvGLjGtN8D6tuReeOR0mKzF74J4QvHyHIdZSid8/BobhPpAIo/aJqnviMMPeSY=
=bYAM
-----END PGP SIGNATURE-----
From jmoore3rd at bellsouth.net Sun May 10 17:53:21 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Sun, 10 May 2009 11:53:21 -0400
Subject: Problems changing hash algo for clearsign
In-Reply-To: <20090510125201.GA4531@arch1>
References: <20090510125201.GA4531@arch1>
Message-ID: <4A06F871.3020907@bellsouth.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Tyler Spivey wrote:
> Hello. I'm trying to make any message I clearsign
> have a hash of SHA256.
> Here is what I've done so far:
> I've added "personal-digest-preferences SHA256" to the end of my gpg.conf file. According
> to the manpage, this should be enough; since the manpage states:
> The most highly ranked digest algorithm in
> this list is algo used when signing without encryption (e.g. --clearsign or
> --sign).
> What do I need to do to make it default to that on signs/clearsigns?
"Ranked" = the 1st digest algo listed in the preferences string. ;)
JOHN 8-)
Timestamp: Sunday 10 May 2009, 11:52 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4995: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx
iQEcBAEBCgAGBQJKBvhvAAoJEBCGy9eAtCsPZYwH/AiRUr6KRxbviBsiazyttNM/
ouOeMjIpkFSccLWsnDBE6vIOU+JUDXbS9cl/DjO4W+FbNWlnlUz4yjwbzygMao3o
2eeUMNUJNRqidB5NXzX7+z+IZxho3x6MJh+017bhlAwdFCcYjedPR7CJsKzSPDK3
UOcnLNZ0DngontojFyT/SoeZKO7WF/xu/6uZW/24Q9HmqNbelVOOfEjaFWtd6J1+
NNvQyal1QK2yqMcVIRdoz6weBpEsSAtx3+pZGm8/MDwhXhgiYnCRFGW/L+KYOaoS
F8/xfbPzzXr+5b95CQBbaxA4zu2U3LXHLQ4xFhX/0t/giM4hlwzcJxUEs+TmHos=
=SyjZ
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Sun May 10 20:04:13 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 10 May 2009 14:04:13 -0400
Subject: Problems changing hash algo for clearsign
In-Reply-To: <4A06EB99.8030903@galen.org.uk>
References: <20090510125201.GA4531@arch1> <4A06EB99.8030903@galen.org.uk>
Message-ID: <10EC0B84-AA89-47BE-B07B-E49059495B7D@jabberwocky.com>
On May 10, 2009, at 10:58 AM, Bob Henson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
>
> Tyler Spivey wrote:
>
>> and I can force it with --digest-algo sha256.
>
> Add just "digest-algo SHA256" (without the parentheses) to your
> gpg.conf
> file.
Please do not do this. There is an entire section entitled
INTEROPERABILITY in the manual giving reasons why this will almost
certainly break things for you.
David
From dshaw at jabberwocky.com Sun May 10 20:02:31 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 10 May 2009 14:02:31 -0400
Subject: Problems changing hash algo for clearsign
In-Reply-To: <20090510125201.GA4531@arch1>
References: <20090510125201.GA4531@arch1>
Message-ID: <54A20429-1C2C-4255-92C4-8EC165024E87@jabberwocky.com>
On May 10, 2009, at 8:52 AM, Tyler Spivey wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello. I'm trying to make any message I clearsign
> have a hash of SHA256.
If the key you are trying to make a SHA256 signature with is the same
one that you signed this message with, then you can't. It's a 1024-
bit DSA key, and that key can only use a 160 bit hash. (You can force
it to use SHA256, but you'll still end up using only 160 bits of the
256 bit hash).
David
From mail at 404not-found.de Sun May 10 21:00:14 2009
From: mail at 404not-found.de (Raimar Sandner)
Date: Sun, 10 May 2009 21:00:14 +0200
Subject: Problems changing hash algo for clearsign
In-Reply-To: <20090510125201.GA4531@arch1>
References: <20090510125201.GA4531@arch1>
Message-ID: <200905102100.21388.mail@404not-found.de>
On Sunday 10 May 2009 14:52:21 Tyler Spivey wrote:
> Hello. I'm trying to make any message I clearsign
> have a hash of SHA256.
> Here is what I've done so far:
> I've added "personal-digest-preferences SHA256" to the end of my gpg.conf
> file. According to the manpage, this should be enough; since the manpage
> states:
> The most highly ranked digest algorithm in
> this list is algo used when signing without encryption (e.g.
> --clearsign or --sign).
>
> but if I gpg --clearsign a test file, the hash at the top says SHA1. I've
> verified that My gpg 1.4.9 has sha256,
> and I can force it with --digest-algo sha256.
> What do I need to do to make it default to that on signs/clearsigns?
You might find this thread interisting:
http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036338.html
especially David's reply
http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036344.html
Raimar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From rjh at sixdemonbag.org Mon May 11 00:00:06 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 10 May 2009 18:00:06 -0400
Subject: Problems changing hash algo for clearsign
In-Reply-To: <4A06EB99.8030903@galen.org.uk>
References: <20090510125201.GA4531@arch1> <4A06EB99.8030903@galen.org.uk>
Message-ID: <4A074E66.2020200@sixdemonbag.org>
Bob Henson wrote:
> Add just "digest-algo SHA256" (without the parentheses) to your gpg.conf
> file.
Please don't. This is usually the wrong solution.
From Beth.C.Coffman at fnis.com Fri May 8 23:30:39 2009
From: Beth.C.Coffman at fnis.com (Coffman, Beth C)
Date: Fri, 8 May 2009 16:30:39 -0500
Subject: Decryption streaming
Message-ID:
What is a good way to write a C++ app to decrypt multiple large
PGP-encrypted files simultaneously into memory? I cannot have the
plaintext output in a file on disk at any time. Preferably, one block
of data from the file will be decrypted at a time. Therefore, the
entire file or files will not need to reside in memory.
Thanks,
Beth
_____________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nobody at nymu.eu Sat May 9 00:12:32 2009
From: nobody at nymu.eu (Anonymous)
Date: Fri, 8 May 2009 23:12:32 +0100 (BST)
Subject: How to delete bad UID???
Message-ID:
Hi,
I have to delete a UID from my key on keyservers because the email
address is no good. I deleted the UID from my key and uploaded it
again but this didn't do anything so I figured I have to invalidate
the UID and upload the key again. But I already deleted the UID from
my key what I am supposed to do now? Is there some way to delete this
email address from my key or people will send mail to a bad address.
From platitsa at sfsu.edu Sat May 9 01:31:37 2009
From: platitsa at sfsu.edu (pin_sf)
Date: Fri, 8 May 2009 16:31:37 -0700 (PDT)
Subject: GPG 2.0.11 and Vista
Message-ID: <23455279.post@talk.nabble.com>
I would like to know if the latest version of GPG supports Vista. Thank
you!!!
--
View this message in context: http://www.nabble.com/GPG-2.0.11-and-Vista-tp23455279p23455279.html
Sent from the GnuPG - User mailing list archive at Nabble.com.
From anonymous at anonymitaet-im-inter.net Sun May 10 18:20:50 2009
From: anonymous at anonymitaet-im-inter.net (Dave U. Random)
Date: Sun, 10 May 2009 18:20:50 +0200 (CEST)
Subject: delete bad UID from key on keyserver?
References: <4A048DDA.40405__2302.86345254189$1241812595$gmane$org@Mozilla-Enigmail.org>
Message-ID: <7f6d74c7d32428754a4f419af6d56e4d@anonymitaet-im-inter.net>
Thanks very much, John. The instructions worked a treat. One point for
anyone reading this in the mail list archives, you need to write
--refresh-keys (two dashes rather than one in the example).
Cheers.
From nobody at pseudo.borked.net Mon May 11 01:34:54 2009
From: nobody at pseudo.borked.net (Borked Pseudo Mailed)
Date: Sun, 10 May 2009 17:34:54 -0600 (MDT)
Subject: delete bad UID from key on keyserver?
References: <4A048BCC.6060808__44253.251530654$1241812045$gmane$org@bellsouth.net>
Message-ID: <8f68f4bb424c49443b5e284c51bf11c7@pseudo.borked.net>
Thank you.
From nobody at pseudo.borked.net Mon May 11 00:39:15 2009
From: nobody at pseudo.borked.net (Borked Pseudo Mailed)
Date: Sun, 10 May 2009 16:39:15 -0600 (MDT)
Subject: delete bad UID from key on keyserver?
References: <4A048BCC.6060808__44253.251530654$1241812045$gmane$org@bellsouth.net>
Message-ID: <8f68f4bb424c49443b5e284c51bf11c7@pseudo.borked.net>
Thank you.
From sanjeev_g11 at hotmail.com Mon May 11 18:44:32 2009
From: sanjeev_g11 at hotmail.com (Sanjeev Gupta)
Date: Mon, 11 May 2009 12:44:32 -0400
Subject: Question regarding signature
Message-ID:
All,
I have 2 different vendors an dI would like to sign their keys using 2 different private keys. I don't want to share my public key between them. When ever I try to sign the key the software doesn't give me the option to select my won key, it always use my default key. how can I achieve this. Please help me as I need to finish this project ASAP.
Thanks
-Sanjeev
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ecol2009 at gmail.com Tue May 12 03:22:56 2009
From: ecol2009 at gmail.com (nana nana)
Date: Tue, 12 May 2009 03:22:56 +0200
Subject: Question
Message-ID: <9d632db30905111822y5671fd04rc4e3a6d6341b5c66@mail.gmail.com>
hello,
i found your work in http://www.gnupg.org/download/
i read the instruction .i try to use it ,i install it but i don't know why i
have only; 03 file .txt and the home page with install application ?
where is the problem ,
thanks.
its very important to me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From dshaw at jabberwocky.com Tue May 12 15:38:20 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 12 May 2009 09:38:20 -0400
Subject: Question regarding signature
In-Reply-To:
References:
Message-ID: <0EAD9C39-1380-48C8-986C-E2D134754246@jabberwocky.com>
On May 11, 2009, at 12:44 PM, Sanjeev Gupta wrote:
> All,
>
> I have 2 different vendors an dI would like to sign their keys
> using 2 different private keys. I don't want to share my public key
> between them. When ever I try to sign the key the software doesn't
> give me the option to select my won key, it always use my default
> key. how can I achieve this. Please help me as I need to finish this
> project ASAP.
gpg -u (the-key-i-want-to-sign-with) --sign-key (the-key-i-want-to-sign)
David
From dshaw at jabberwocky.com Tue May 12 16:20:05 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 12 May 2009 10:20:05 -0400
Subject: Decryption streaming
In-Reply-To:
References:
Message-ID: <4E37EED5-7256-494D-8864-884BBA7C2C8C@jabberwocky.com>
On May 8, 2009, at 5:30 PM, Coffman, Beth C wrote:
> What is a good way to write a C++ app to decrypt multiple large PGP-
> encrypted files simultaneously into memory? I cannot have the
> plaintext output in a file on disk at any time. Preferably, one
> block of data from the file will be decrypted at a time. Therefore,
> the entire file or files will not need to reside in memory.
GPG (the program) can decrypt as a stream. You can either write a
program that wraps around it, or use the GPGME library to do the work
for you.
David
From steveo at syslang.net Tue May 12 16:32:52 2009
From: steveo at syslang.net (Steven W. Orr)
Date: Tue, 12 May 2009 10:32:52 -0400 (EDT)
Subject: Decryption streaming
In-Reply-To:
References:
Message-ID:
On Friday, May 8th 2009 at 17:30 -0000, quoth Coffman, Beth C:
=>What is?a good way to?write a C++ app?to decrypt multiple
=>large?PGP-encrypted files simultaneously into memory???I cannot have
=>the?plaintext output in a file on disk?at any time.? Preferably,?one block
=>of data from the file?will be decrypted at a time.? Therefore, the entire
=>file or files will not need to reside in memory.
=>?
=>Thanks,
=>Beth
Hi Beth, I don't have the answer to your question, but I will say that you
need to tighten up on your specs: If your program is running under a
virtual memory model and you don't want your data to end up on disk then
you will have to do something with a large hammer to lock pages of memory,
or something along that line.
--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
From jmoore3rd at bellsouth.net Tue May 12 19:31:47 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Tue, 12 May 2009 13:31:47 -0400
Subject: GPG 2.0.11 and Vista
In-Reply-To: <23455279.post@talk.nabble.com>
References: <23455279.post@talk.nabble.com>
Message-ID: <4A09B283.7090402@bellsouth.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
pin_sf wrote:
> I would like to know if the latest version of GPG supports Vista. Thank
> you!!!
Short Answer: YES!
JOHN ;)
Timestamp: Tuesday 12 May 2009, 13:31 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4995: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx
iQEcBAEBCgAGBQJKCbKAAAoJEBCGy9eAtCsP/84IAIdQx20GFZiALpv2pyx0+tSO
hsQ8rJOW00w+uhAgzyudopXzgGgN+JRYgAr3JAIZamYZxy+NgqhnZYRQDAh4gTQp
+ZhpoGA35lkberSr1ukcAnR8vd0EPFR+lkMl71O9jskIPCVKs1/zAUNy2lBM3hQI
95l/wnA8VJB8Y/Prmk+9uzft9Z1hUBAxD4ghhJJWuJULPmJjdUaS29WX9oZncCwi
sgNUDIslLK8bmCXkU98+cKUBmYADz6il+nvdVOwvs2BEvyKON51HjrLf8VCQqLBW
v4vbDG1E0pjTQRmSHyFkX0uzW0tWjJAHQjduPpK9J0RO9efDHjCzv8RrIHCver8=
=e/eE
-----END PGP SIGNATURE-----
From faramir.cl at gmail.com Tue May 12 20:53:43 2009
From: faramir.cl at gmail.com (Faramir)
Date: Tue, 12 May 2009 14:53:43 -0400
Subject: Question
In-Reply-To: <9d632db30905111822y5671fd04rc4e3a6d6341b5c66@mail.gmail.com>
References: <9d632db30905111822y5671fd04rc4e3a6d6341b5c66@mail.gmail.com>
Message-ID: <4A09C5B7.8050102@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
nana nana escribi?:
> hello,
> i found your work in http://www.gnupg.org/download/
> i read the instruction .i try to use it ,i install it but i don't know
> why i have only; 03 file .txt and the home page with install application ?
> where is the problem ,
> thanks.
What operating system are you using? What kind of package did you
download from the download site?
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJKCcW2AAoJEMV4f6PvczxAFPYH/0oKHYOLMvEX2fTsruJjW3cC
lEHFklM+HxkcKZT+iCqYwvtmeBU4HkawYDZHzfDxwFq+BgwxJ1OJFGJmDdA2oOIk
E1eQsy1J24cNZSZ0vkSRTSv+2nkRP/rlg1mN17UlLrBPNq6OiuqmtYdaJEhW/Ilq
a9C6R0l1pkzP4mmyrKhFGuwF+5YQECMAogt2wh+tFTUVQ5qpyAMmvbNqNPuH4tJu
KjabxO/MLpuu4xzSo7llEGaUQc8CPxfaCAJNWwjhzN21FkD4uACRgzFcJscHNO2W
Xw0GRrl9lk9PDW/mYZbYcZyer2VaJL0ydFImplgTzfiUeSfzd8CSgBh7eMlalMk=
=8f3m
-----END PGP SIGNATURE-----
From macshaggy at gmail.com Wed May 13 00:48:55 2009
From: macshaggy at gmail.com (Jake Bellew)
Date: Tue, 12 May 2009 18:48:55 -0400
Subject: Public Key not found.
Message-ID: <8D2DB6DF-3708-4916-A9BE-5CA91929EC35@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hey Everyone:
I keep getting this from gpg:
gpg: public key of ultimately trusted key {key id 1} not found
gpg: public key of ultimately trusted key {key id 2} not found
Possibly, while learning to use gpg I created two keys that I have
ultimate trust with but I'm not sure. How can I remove them from my
trustdb since I don't really know how they ended up there?
Any help would be appreciated.
Thank you,
Jake
Sent from Home
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iQGcBAEBCAAGBQJKCfzXAAoJEJneeqNiNbVCOLEMAIyAHPTB+erWZv8yEhsvTMTf
3K53fB/fxGXI5di9FDCkTw9g65cUBKqzZoPCQT/qIg5d//Dx2uGMOQ5pVTZZ+UAa
F6QScWNN5FfWuZX6YloehaWTSmxn5uVYpE0/t5+0f3hjD293WgM0oLVF018mb2wd
KmiM5D+NuHshJHDc1rol+IB6PrvFkrgswCg9gm38bfULVQ2t5CMGoyMB5ICxR4HF
1q2CGx5ymidHPxE5C3lQGJx1aqOuD9ik/2vZUFKTAXHwF8Vs6kUkwgMlgK/QILzB
x77M095hTlrwkG9OZFuQLHXkDeg0oLxQOjpzD7Zc5uDpysNNAHmpifnBRY9RUj+8
kl43/oXXwThE+9G4j90zWzBuoBhAzPQxyVZCSYD0aU7V5raGC4qDB1/kEWJvJGt/
CNbRDAMljoRSnPeO8MmgGJLGP5oLR7K7THq7LrK39QMk9ul56AzgTlnr9hUf7Otf
qz8SFFdaOBxeoW5vXXeSuVSTKMUa6nop5epB6+Oimw==
=KFwx
-----END PGP SIGNATURE-----
From webmaster at felipe1982.com Wed May 13 03:01:23 2009
From: webmaster at felipe1982.com (Felipe Alvarez)
Date: Wed, 13 May 2009 11:01:23 +1000
Subject: Public Key not found.
In-Reply-To: <8D2DB6DF-3708-4916-A9BE-5CA91929EC35@gmail.com>
References: <8D2DB6DF-3708-4916-A9BE-5CA91929EC35@gmail.com>
Message-ID: <200905131101.38366.webmaster@felipe1982.com>
On Wed, 13 May 2009 08:48:55 Jake Bellew wrote:
> Possibly, while learning to use gpg I created two keys that I have
> ultimate trust with but I'm not sure. How can I remove them from my
> trustdb since I don't really know how they ended up there?
When I started out with gpg, I created and destroyed many private
keys. i was very careful not to use them seriously, only to mess with on
my private home suse box. I didn't upload them, and I didn't sign any
documents with them. I didn't share them with anybody. I destroyed
many, and made new ones, until I was comfortable with how gpg
worked, and how (a)symmetric crypto works, etc.
Hopefully you have not uploaded your public key to a public keyserver.
To delete your own private/public keys try [gpg --delete-secret-and-
public-key youremail at address.com]
Felipe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 258 bytes
Desc: This is a digitally signed message part.
URL:
From stormer at stormer.org Wed May 13 07:39:06 2009
From: stormer at stormer.org (Stormer's Cgi-Archive)
Date: Wed, 13 May 2009 01:39:06 -0400
Subject: procmail and gpg
Message-ID:
I asked this one before... either no response or no one knows.
Has anyone got a procmail recipe that works so that any email sent to
a particular pop3 account will be encrypted with a public key?
maybe I am on the wrong list? Recommendations?
James
From Beth.C.Coffman at fnis.com Tue May 12 17:09:45 2009
From: Beth.C.Coffman at fnis.com (Coffman, Beth C)
Date: Tue, 12 May 2009 10:09:45 -0500
Subject: Decryption streaming
In-Reply-To: <4E37EED5-7256-494D-8864-884BBA7C2C8C@jabberwocky.com>
Message-ID:
Thanks. Does documentation exist anywhere for the individual methods
within the libraries? What about examples? I'm not sure what methods
to use from GPGME to accomplish my task. There is a lot of gnupg
documentation in general, but not on using the individual methods within
the libraries.
It looks like
minip12.c decrypt_block from gnupg-2.0.11 might do what I need, but I
don't see anything documenting what the "salt" and "pw" parameters are
supposed to be.
What I am looking to do is read and decrypt a small subset of data from
a file at a time, process it, delete it, and move on to decrypting the
next subset.
Beth
-----Original Message-----
From: David Shaw [mailto:dshaw at jabberwocky.com]
Sent: Tuesday, May 12, 2009 9:20 AM
To: Coffman, Beth C
Cc: gnupg-users at gnupg.org
Subject: Re: Decryption streaming
On May 8, 2009, at 5:30 PM, Coffman, Beth C wrote:
> What is a good way to write a C++ app to decrypt multiple large PGP-
> encrypted files simultaneously into memory? I cannot have the
> plaintext output in a file on disk at any time. Preferably, one block
> of data from the file will be decrypted at a time. Therefore, the
> entire file or files will not need to reside in memory.
GPG (the program) can decrypt as a stream. You can either write a
program that wraps around it, or use the GPGME library to do the work
for you.
David
_____________
The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________
From wk at gnupg.org Wed May 13 14:57:52 2009
From: wk at gnupg.org (Werner Koch)
Date: Wed, 13 May 2009 14:57:52 +0200
Subject: Decryption streaming
In-Reply-To:
(Beth C. Coffman's message of "Tue, 12 May 2009 10:09:45 -0500")
References:
Message-ID: <87hbzpxir3.fsf@wheatstone.g10code.de>
On Tue, 12 May 2009 17:09, Beth.C.Coffman at fnis.com said:
> minip12.c decrypt_block from gnupg-2.0.11 might do what I need, but I
> don't see anything documenting what the "salt" and "pw" parameters are
That is an inetrnal fucntion of gpg. You should not use it.
> What I am looking to do is read and decrypt a small subset of data from
> a file at a time, process it, delete it, and move on to decrypting the
> next subset.
Check out the gpgme manual and the examples available in the source
below tests/.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
From wk at gnupg.org Wed May 13 15:03:48 2009
From: wk at gnupg.org (Werner Koch)
Date: Wed, 13 May 2009 15:03:48 +0200
Subject: procmail and gpg
In-Reply-To:
(Stormer's Cgi-Archive's message of "Wed, 13 May 2009 01:39:06 -0400")
References:
Message-ID: <87d4adxih7.fsf@wheatstone.g10code.de>
On Wed, 13 May 2009 07:39, stormer at stormer.org said:
> Has anyone got a procmail recipe that works so that any email sent to
> a particular pop3 account will be encrypted with a public key?
I don't have one. I attach a script which does something similar: Take
a message and re-encrypt it to a list of recipients. It is more
complicated than what you want but you might get the idea.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpgmlrobot
Type: application/octet-stream
Size: 5569 bytes
Desc: not available
URL:
From mkrotzer at fastmail.fm Wed May 13 15:24:30 2009
From: mkrotzer at fastmail.fm (Matthew Krotzer)
Date: Wed, 13 May 2009 09:24:30 -0400
Subject: procmail and gpg
In-Reply-To:
References:
Message-ID: <20090513132429.GA8707@darkstar>
* Stormer's Cgi-Archive [090513 02:51]:
> I asked this one before... either no response or no one knows.
>
> Has anyone got a procmail recipe that works so that any email sent to
> a particular pop3 account will be encrypted with a public key?
>
> maybe I am on the wrong list? Recommendations?
>
> James
>
A procmail list would probably be a better place to get this
information. I don't use procmail, but this seems more like a
client setting to me. Folder-hooks, etc.
I don't understand what you are trying to do from the
description. Is there a singular public key for the account or
multiple? Are you setting this up on a private mailserver? My
email client, mutt, picks the right key for the right account
based on the key information.
Matthew
From mearns.b at gmail.com Wed May 13 16:28:03 2009
From: mearns.b at gmail.com (Brian Mearns)
Date: Wed, 13 May 2009 10:28:03 -0400
Subject: Question regarding signature
In-Reply-To: <4df3a1330905130550k5e6c973cg9616ebed656e5f0f@mail.gmail.com>
References:
<0EAD9C39-1380-48C8-986C-E2D134754246@jabberwocky.com>
<4df3a1330905130550k5e6c973cg9616ebed656e5f0f@mail.gmail.com>
Message-ID: <4df3a1330905130728s6e995abdva4d95b97697a08c9@mail.gmail.com>
On Tue, May 12, 2009 at 9:38 AM, David Shaw wrote:
> On May 11, 2009, at 12:44 PM, Sanjeev Gupta wrote:
>
>> All,
>>
>> ? ?I have 2 different vendors an dI would like to sign their keys using 2
>> different private keys. I don't want to share my public key between them.
>> When ever I try to sign the key the software doesn't give me the option to
>> select my won key, it always use my default key. how can I achieve this.
>> Please help me as I need to finish this project ASAP.
>
> gpg -u (the-key-i-want-to-sign-with) --sign-key (the-key-i-want-to-sign)
>
> David
>
>
I have to wonder why you don't want to share your public key between
them? You understand that's the whole point of public-key-cryptography
schemes like those used by gpg, right? A public key is public, it's
meant to be shared and doing so does not cause any [feasible] security
risks.
-Brian
--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net
From jhs at berklix.org Wed May 13 17:25:34 2009
From: jhs at berklix.org (Julian Stacey)
Date: Wed, 13 May 2009 17:25:34 +0200
Subject: procmail and gpg
In-Reply-To: Your message "Wed, 13 May 2009 09:24:30 EDT."
<20090513132429.GA8707@darkstar>
Message-ID: <200905131525.n4DFPYWs061411@fire.js.berklix.net>
Matthew Krotzer wrote:
> * Stormer's Cgi-Archive [090513 02:51]:
> > I asked this one before... either no response or no one knows.
> >
> > Has anyone got a procmail recipe that works so that any email sent to
> > a particular pop3 account will be encrypted with a public key?
> >
> > maybe I am on the wrong list? Recommendations?
> >
> > James
> >
>
> A procmail list would probably be a better place to get this
> information. I don't use procmail, but this seems more like a
> client setting to me. Folder-hooks, etc.
>
> I don't understand what you are trying to do from the
> description. Is there a singular public key for the account or
> multiple? Are you setting this up on a private mailserver? My
> email client, mutt, picks the right key for the right account
> based on the key information.
>
> Matthew
I use procmail,
(but dont use gnupg much 'cept occasionaly for customers,
hence lurker status ;-)
Seems a puzzling/ badly/ inadequately phrased question from Stormer.
- Normaly one _en_crypts before sending
- Whereas one uses procmail on receipt.
- But POP3 implies local incoming account, else how would one know what
protocol another recipient uses to collect.
- Stormer talks of "sent to > a particular" rather than "received by .."
Puzzling.
Maybe Stormer means oungoing from private net, somehow wanting to
call procmail on a proxy or relay before heading out over net ? Or
he or she could mean other things. Question best re-defined & re-posted.
PS man procmail:
for submitting questions/answers.
for subscription requests.
If you would like to stay informed about new versions and official
patches send a subscription request to
procmail-announce-request at procmail.org
(this is a readonly list).
Cheers,
Julian
--
Julian Stacey: BSDUnixLinux C Prog Admin SysEng Consult Munich www.berklix.com
Mail plain ASCII text. HTML & Base64 text are spam. www.asciiribbon.org
From stormer at stormer.org Wed May 13 18:53:17 2009
From: stormer at stormer.org (Stormer's Cgi-Archive)
Date: Wed, 13 May 2009 12:53:17 -0400
Subject: procmail and gpg
In-Reply-To: <200905131525.n4DFPYWs061411@fire.js.berklix.net>
References: <20090513132429.GA8707@darkstar>
<200905131525.n4DFPYWs061411@fire.js.berklix.net>
Message-ID:
Julian,
Sorry for the initial description... here is why I want it...
What I would like to do is have a regular pop3 mail account on a
private server... any email sent TO that email address will be
encrypted with my public key when it arrives on the server. Then when
I download it into Mozilla
Thunderbird with EnigMail addon it will decrypt it. The usefulness
of this ability can be expanded to other perl/php scripts that email
information to that same pop3 but don't have any type of gpg port yet.
Thanks!
James
On Wed, May 13, 2009 at 11:25 AM, Julian Stacey wrote:
> Matthew Krotzer wrote:
>> * Stormer's Cgi-Archive [090513 02:51]:
>> > I asked this one before... ?either no response or no one knows.
>> >
>> > Has anyone got a procmail recipe that works so that any email sent to
>> > a particular pop3 account will be encrypted with a public key?
>> >
>> > maybe I am on the wrong list? ?Recommendations?
>> >
>> > James
>> >
>>
>> A procmail list would probably be a better place to get this
>> information. I don't use procmail, but this seems more like a
>> client setting to me. Folder-hooks, etc.
>>
>> I don't understand what you are trying to do from the
>> description. Is there a singular public key for the account or
>> multiple? Are you setting this up on a private mailserver? My
>> email client, mutt, picks the right key for the right account
>> based on the key information.
>>
>> Matthew
>
> I use procmail,
> (but dont use gnupg much 'cept occasionaly for customers,
> ?hence lurker status ;-)
> Seems a puzzling/ badly/ inadequately phrased question from Stormer.
> - Normaly one _en_crypts before sending
> - Whereas one uses procmail on receipt.
> - But POP3 implies local incoming account, else how would one know what
> ?protocol another recipient uses to collect.
> - Stormer talks of "sent to > a particular" rather than "received by .."
> Puzzling.
>
> Maybe Stormer means oungoing from private net, somehow wanting to
> call procmail on a proxy or relay before heading out over net ? ?Or
> he or she could mean other things. ? Question best re-defined & re-posted.
>
> PS man procmail:
> ? ? ? ? ? ? ?
> ? ? ? ? ? ? ? ? ? ? for submitting questions/answers.
> ? ? ? ? ? ? ?
> ? ? ? ? ? ? ? ? ? ? for subscription requests.
>
> ? ? ? If ?you ?would ?like ?to ?stay informed about new versions and official
> ? ? ? patches send a subscription request to
> ? ? ? ? ? ? ?procmail-announce-request at procmail.org
> ? ? ? (this is a readonly list).
>
> Cheers,
> Julian
> --
> Julian Stacey: BSDUnixLinux C Prog Admin SysEng Consult Munich www.berklix.com
> ?Mail plain ASCII text. ?HTML & Base64 text are spam. www.asciiribbon.org
>
--
Stormer's Cgi-Archive
http://www.stormer.org
From hrickards at l33tmyst.com Wed May 13 19:27:04 2009
From: hrickards at l33tmyst.com (Harry Rickards)
Date: Wed, 13 May 2009 18:27:04 +0100
Subject: procmail and gpg
In-Reply-To:
References: <20090513132429.GA8707@darkstar> <200905131525.n4DFPYWs061411@fire.js.berklix.net>
Message-ID: <4A0B02E8.7080801@l33tmyst.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/13/09 17:53, Stormer's Cgi-Archive wrote:
> Julian,
>
> Sorry for the initial description... here is why I want it...
>
> What I would like to do is have a regular pop3 mail account on a
> private server... any email sent TO that email address will be
> encrypted with my public key when it arrives on the server. Then when
> I download it into Mozilla
> Thunderbird with EnigMail addon it will decrypt it. The usefulness
> of this ability can be expanded to other perl/php scripts that email
> information to that same pop3 but don't have any type of gpg port yet.
>
> Thanks!
>
> James
>
>
> On Wed, May 13, 2009 at 11:25 AM, Julian Stacey wrote:
>> Matthew Krotzer wrote:
>>> * Stormer's Cgi-Archive [090513 02:51]:
>>>> I asked this one before... either no response or no one knows.
>>>>
>>>> Has anyone got a procmail recipe that works so that any email sent to
>>>> a particular pop3 account will be encrypted with a public key?
>>>>
>>>> maybe I am on the wrong list? Recommendations?
>>>>
>>>> James
>>>>
>>> A procmail list would probably be a better place to get this
>>> information. I don't use procmail, but this seems more like a
>>> client setting to me. Folder-hooks, etc.
>>>
>>> I don't understand what you are trying to do from the
>>> description. Is there a singular public key for the account or
>>> multiple? Are you setting this up on a private mailserver? My
>>> email client, mutt, picks the right key for the right account
>>> based on the key information.
>>>
>>> Matthew
>> I use procmail,
>> (but dont use gnupg much 'cept occasionaly for customers,
>> hence lurker status ;-)
>> Seems a puzzling/ badly/ inadequately phrased question from Stormer.
>> - Normaly one _en_crypts before sending
>> - Whereas one uses procmail on receipt.
>> - But POP3 implies local incoming account, else how would one know what
>> protocol another recipient uses to collect.
>> - Stormer talks of "sent to > a particular" rather than "received by .."
>> Puzzling.
>>
>> Maybe Stormer means oungoing from private net, somehow wanting to
>> call procmail on a proxy or relay before heading out over net ? Or
>> he or she could mean other things. Question best re-defined & re-posted.
>>
>> PS man procmail:
>>
>> for submitting questions/answers.
>>
>> for subscription requests.
>>
>> If you would like to stay informed about new versions and official
>> patches send a subscription request to
>> procmail-announce-request at procmail.org
>> (this is a readonly list).
>>
>> Cheers,
>> Julian
>> --
>> Julian Stacey: BSDUnixLinux C Prog Admin SysEng Consult Munich www.berklix.com
>> Mail plain ASCII text. HTML & Base64 text are spam. www.asciiribbon.org
>>
>
>
>
I asked about a similar thing recently on the debian-user mailing list.
Basically, we worked out that it would be hard to do, and would be a lot
easier just to encrypt the disk. That was using Postfix though. Let us
know if you find a solution.
- --
Many thanks
Harry Rickards
- -----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/GCM/GCS/GCC/GIT/GM d? s: a? C++++ UL++++ P- L+++ E--- W+++ N o K+
w--- O- M- V- PS+ PE Y+ PGP++ t 5 X R tv-- b+++ DI D---- G e* h! !r y?
- ------END GEEK CODE BLOCK------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkoLAugACgkQ1kZz3mRu0Go/oQCg5FtBokZNzv07m+wQQ3egtcuj
zGYAn0BhqgagSnx5TiYsIfnYeHw/KQm+
=dFOU
-----END PGP SIGNATURE-----
From stormer at stormer.org Thu May 14 08:51:33 2009
From: stormer at stormer.org (Stormer's Cgi-Archive)
Date: Thu, 14 May 2009 02:51:33 -0400
Subject: procmail and gpg
In-Reply-To: <20090514034807.GA28778@foursquare.net>
References:
<20090514034807.GA28778@foursquare.net>
Message-ID:
To all that responded,
I got it to work...
Here is how...
First, when executed by .procmailrc, the .gnupg directory needed to be
in the same directory as the .procmailrc file. It had to be
chown:chgrp for that user.
The procmailrc looks like this...
:0
* ^X-ClamAV: clean
{
:0fbw
| gpg --encrypt -r 3BE2D343 --armor --output -
:0c
! email2 at mydomain.com
}
The only matching thing in all emails was the X-ClamAV: clean
What this does...
When an email comes into that pop account, it encrypts it and forwards
it to email2 at domain.com
cheers!
James
On Wed, May 13, 2009 at 11:48 PM, Chris Frey wrote:
> On Wed, May 13, 2009 at 01:39:06AM -0400, Stormer's Cgi-Archive wrote:
>> I asked this one before... ?either no response or no one knows.
>>
>> Has anyone got a procmail recipe that works so that any email sent to
>> a particular pop3 account will be encrypted with a public key?
>>
>> maybe I am on the wrong list? ?Recommendations?
>
> You need to make use of the idea of procmail filter rules.
>
> For example, I use a rule like this to adjust the Subject line of
> mail from the full-disclosure mailing list:
>
> ####### full-disclosure
> :0
> * ^List-Id:.*full-disclosure.lists.grok.org.uk
> {
> ? ? ? ?# filter delivered mail's subject line for better mutt sorting
> ? ? ? ?:0hfW
> ? ? ? ?| sed -e '/^Subject: / s/\[Full-disclosure\] //'
>
> ? ? ? ?# send to proper mailbox
> ? ? ? ?:0
> ? ? ? ?full-disclosure
> }
>
>
> The above was copied from a working setup. ?You'll need to do some testing
> and playing around, but extrapolating from my above rule, I'd likely
> try something like this:
>
> # send body of email through a gpg filter, and make sure it succeeds
> :0bfW
> | gpg --armor -r cdfrey at foursquare.net --encrypt
>
>
> Hope that helps,
> - Chris
>
>
--
Stormer's Cgi-Archive
http://www.stormer.org
From Jake_Rai at tui-uk.co.uk Wed May 13 18:17:29 2009
From: Jake_Rai at tui-uk.co.uk (Rai, Jake)
Date: Wed, 13 May 2009 17:17:29 +0100
Subject: Help!
Message-ID:
Hello,
Hoping you could help me.
Could you provide me with a link for a GUI version of GNUPG.
We are looking to decrypt gpg files received using key authentication.
Kind Regards,
Jake Rai
Senior Operational Support Analyst
TUI UK - IT Service Delivery
Landline: +44(0)2476 283118
Mobile: +44(0)7976 539817
Thomson.co.uk for Holidays, Flights, Hotels, customer reviews and over 2000 videos. Find us at www.thomson.co.uk, Sky Digital Channel 647 or on your high street.
CONFIDENTIALITY NOTICE & DISCLAIMER
This message, together with any attachments, is for the confidential and exclusive use of the intended addresses(s). If you receive it in error, please delete the message and its attachments from your system immediately and notify us by return e-mail. Do not disclose copy, circulate or use any information contained in this e-mail.
? The content of this e-mail is to be read subject to our terms of business, as applicable.
? E-mail may be intercepted or affected by viruses and we accept no responsibility for any interception or liability for any form of viruses introduced with this e-mail.
? The sender shall remain solely accountable for any statements, representations or opinions that are clearly his or her own and not made in the course of employment.
? For risk, protection and security purposes, we may monitor e-mails and take appropriate action.
Registered Office: TUI Travel House, Crawley Business Quarter, Fleming Way, Crawley, West Sussex RH10 9QL
? TUI Travel PLC, Registered in England and Wales (Number 6072876)
? TUI Northern Europe Limited, Registered in England and Wales (Number 3490138)
? TUI UK Limited, Registered in England and Wales (Number 2830117) ; VAT Number: 233 3687 62
? Thomson Airways Limited, Registered in England and Wales (Number 444359); VAT Number: 490 2120 79
Telephone: +44 (0)24 7628 2828 | Fax: +44 (0)24 7628 2844
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From cdfrey at foursquare.net Thu May 14 05:48:07 2009
From: cdfrey at foursquare.net (Chris Frey)
Date: Wed, 13 May 2009 23:48:07 -0400
Subject: procmail and gpg
In-Reply-To:
References:
Message-ID: <20090514034807.GA28778@foursquare.net>
On Wed, May 13, 2009 at 01:39:06AM -0400, Stormer's Cgi-Archive wrote:
> I asked this one before... either no response or no one knows.
>
> Has anyone got a procmail recipe that works so that any email sent to
> a particular pop3 account will be encrypted with a public key?
>
> maybe I am on the wrong list? Recommendations?
You need to make use of the idea of procmail filter rules.
For example, I use a rule like this to adjust the Subject line of
mail from the full-disclosure mailing list:
####### full-disclosure
:0
* ^List-Id:.*full-disclosure.lists.grok.org.uk
{
# filter delivered mail's subject line for better mutt sorting
:0hfW
| sed -e '/^Subject: / s/\[Full-disclosure\] //'
# send to proper mailbox
:0
full-disclosure
}
The above was copied from a working setup. You'll need to do some testing
and playing around, but extrapolating from my above rule, I'd likely
try something like this:
# send body of email through a gpg filter, and make sure it succeeds
:0bfW
| gpg --armor -r cdfrey at foursquare.net --encrypt
Hope that helps,
- Chris
From dave.smith at st.com Thu May 14 12:36:37 2009
From: dave.smith at st.com (David SMITH)
Date: Thu, 14 May 2009 11:36:37 +0100
Subject: Help!
In-Reply-To:
References:
Message-ID: <20090514103637.GF17008@bristol.st.com>
On Wed, May 13, 2009 at 05:17:29PM +0100, Rai, Jake wrote:
> Hoping you could help me.
> Could you provide me with a link for a GUI version of GNUPG.
>
> We are looking to decrypt gpg files received using key authentication.
You appear to be describing GPA:
http://www.gnupg.org/gpa.html
Some friendly advice:
1. Be a bit more descriptive with your subject line. "Help!" doesn't
really give any clue what you're after, and some people will just
ignore that sort of mail.
2. Learn to ask "smart questions". Include useful information - e.g.
in this case, it would be useful to know what Operating System
you're running (Windows (version?), Linux, Mac OSX).
More info: http://catb.org/esr/faqs/smart-questions.html
3. Huge disclaimers like this one have virtually no legal merit and
just annoy people by wasting bandwidth and disk space. In the "old
days of the Internet", a 4-line, 72 characters per line signature
was gnenerally considered to be an acceptable limit.
>
> Thomson.co.uk for Holidays, Flights, Hotels, customer reviews and over 2000 videos. Find us at www.thomson.co.uk, Sky Digital Channel 647 or on your high street.
>
> CONFIDENTIALITY NOTICE & DISCLAIMER
>
> This message, together with any attachments, is for the confidential and exclusive use of the intended addresses(s). If you receive it in error, please delete the message and its attachments from your system immediately and notify us by return e-mail. Do not disclose copy, circulate or use any information contained in this e-mail.
>
> ? The content of this e-mail is to be read subject to our terms of business, as applicable.
[snip]
HTH...
--
David Smith Work Email: Dave.Smith at st.com
STMicroelectronics Home Email: David.Smith at ds-electronics.co.uk
Bristol, England GPG Key: 0xF13192F2
From BruderB at cation.de Thu May 14 13:21:17 2009
From: BruderB at cation.de (B)
Date: Thu, 14 May 2009 13:21:17 +0200
Subject: Help!
In-Reply-To:
References:
Message-ID: <4A0BFEAD.5080806@cation.de>
Hej Jake,
you should provide little more information, at least which OS?
Boris
Rai, Jake schrieb:
> Hello,
>
> Hoping you could help me.
> Could you provide me with a link for a GUI version of GNUPG.
>
> We are looking to decrypt gpg files received using key authentication.
>
> Kind Regards,
> **
> *Jake Rai*
> Senior Operational Support Analyst
> TUI UK - IT Service Delivery
> Landline: +44(0)2476 283118
> Mobile: +44(0)7976 539817
>
>
>
> /Thomson.co.uk for Holidays, Flights, Hotels, customer reviews and over
> 2000 videos. Find us at www.thomson.co.uk ,
> Sky Digital Channel 647 or on your high street./
>
> _CONFIDENTIALITY NOTICE & DISCLAIMER_
>
> This message, together with any attachments, is for the confidential and
> exclusive use of the intended addresses(s). If you receive it in error,
> please delete the message and its attachments from your system
> immediately and notify us by return e-mail. Do not disclose copy,
> circulate or use any information contained in this e-mail.
>
> ? The content of this e-mail is to be read subject to our terms
> of business, as applicable.
>
> ? E-mail may be intercepted or affected by viruses and we
> accept no responsibility for any interception or liability for any form
> of viruses introduced with this e-mail.
>
> ? The sender shall remain solely accountable for any
> statements, representations or opinions that are clearly his or her own
> and not made in the course of employment.
>
> ? For risk, protection and security purposes, we may monitor
> e-mails and take appropriate action.
>
> Registered Office: TUI Travel House, Crawley Business Quarter, Fleming
> Way, Crawley, West Sussex RH10 9QL
>
> ? TUI Travel PLC, Registered in England and Wales (Number 6072876)
>
> ? TUI Northern Europe Limited, Registered in England and Wales
> (Number 3490138)
>
> ? TUI UK Limited, Registered in England and Wales (Number
> 2830117) ; VAT Number: 233 3687 62
>
> ? Thomson Airways Limited, Registered in England and Wales
> (Number 444359); VAT Number: 490 2120 79
>
>
>
> Telephone: +44 (0)24 7628 2828 **|** Fax: +44 (0)24 7628 2844
>
> __
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
From faramir.cl at gmail.com Thu May 14 19:09:34 2009
From: faramir.cl at gmail.com (Faramir)
Date: Thu, 14 May 2009 13:09:34 -0400
Subject: Help!
In-Reply-To:
References:
Message-ID: <4A0C504E.6090000@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rai, Jake escribi?:
> Hello,
>
> Hoping you could help me.
> Could you provide me with a link for a GUI version of GNUPG.
What operating system do you use? I mean, Windows? Linux? Other?
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJKDFBOAAoJEMV4f6PvczxAXaYIAJiY06yYYvAZ0nZAmIXDVTVZ
uhxPM5u6G96NQzyg7GKR9pUfAN2kdHVGD2SH7r1LwG/vng7ZKb3zHQjpxJ2GGwlY
lzBBDvaUZn+HxWrxcLD6TjrP5OlZ8VXMxRnbnJzL36jYBq2HpI1jSkAoCSwtPKOc
YDORBOYkHKnxkmF5dCVWBTrf7LZFdajok+7cryaZ2+YIQdpt8fAMW6IW7wTbSt8i
kvPU2dVtLEgljXhvNbQlJj0yM1MvojeXV4UYTi9kM4jNoArQvCPlKocO87piRVvc
waPkyrJfMUrdXGuFD+qdvWqet+sREVoW/E0FC3BrActGjI4E+O09T/oxtkHAgjo=
=6dUo
-----END PGP SIGNATURE-----
From allen.schultz at gmail.com Fri May 15 01:41:35 2009
From: allen.schultz at gmail.com (Allen Schultz)
Date: Thu, 14 May 2009 17:41:35 -0600
Subject: Photo's in keys?
Message-ID: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
RE: including a photo uid, which is commonly stripped by public
keyservers (http://fifthhorseman.net/key-transition-2007-06-
15.txt)
Are there any limits on the photo in the keys, format/extension,
size, etc? Will GPG resize if necessary? And the basic command
to add the pic in, please.
Thanks in advance,
- --
Allen Schultz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72
iEYEARECAAYFAkoMrC4ACgkQV5r3Eu55xjalOACfZ+CsWicTrc4NL2s6Ip+4+cd3
7MMAnjDlNuf+NSVLfgpcDPTdWX4VbuA8
=RG32
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Fri May 15 05:25:31 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 14 May 2009 23:25:31 -0400
Subject: Photo's in keys?
In-Reply-To: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com>
References: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com>
Message-ID: <43B1D926-5BF1-478F-AEC4-D30504AFDCF7@jabberwocky.com>
On May 14, 2009, at 7:41 PM, Allen Schultz wrote:
> RE: including a photo uid, which is commonly stripped by public
> keyservers (http://fifthhorseman.net/key-transition-2007-06-
> 15.txt)
>
> Are there any limits on the photo in the keys, format/extension,
> size, etc? Will GPG resize if necessary? And the basic command
> to add the pic in, please.
The pic must be JPEG and the extension doesn't matter. GPG doesn't
really care what the size is, but if it is over 6k, you'll get an "are
you sure?" message, as it is kindness to the rest of the world to keep
key sizes from getting out of control. GPG does not manipulate/resize
the photo in any way. The command is "addphoto", in the --edit-key
menu.
David
From John at Mozilla-Enigmail.org Fri May 15 04:30:04 2009
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Thu, 14 May 2009 21:30:04 -0500
Subject: Photo's in keys?
In-Reply-To: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com>
References: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com>
Message-ID: <4A0CD3AC.2080806@Mozilla-Enigmail.org>
Allen Schultz wrote:
> RE: including a photo uid, which is commonly stripped by public
> keyservers (http://fifthhorseman.net/key-transition-2007-06-15.txt)
>
> Are there any limits on the photo in the keys, format/extension,
> size, etc? Will GPG resize if necessary? And the basic command
> to add the pic in, please.
Not sure where the idea that public keyservers strip photo ids is from.
That was a problem with older PKS servers, but the current SKS photos
handle all aspects of V4 keys just fine.
PGP specifies 120x144 as the maximum image resolution while GPG
recommends the usage of 240x288. You'll need to size the image yourself
beforehand.
Most folks recommend keeping the size down to 4K-6K which favors JPEG.
RFC 4880 only mentions JPEG.
Open a command window/shell prompt. Run the command
gpg --edit-key addphoto
GnuPG will then ask you for the filename of your JPEG image. Specify the
complete path.
--
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 678 bytes
Desc: OpenPGP digital signature
URL:
From rjh at sixdemonbag.org Fri May 15 05:40:58 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 14 May 2009 23:40:58 -0400
Subject: Photo's in keys?
In-Reply-To: <43B1D926-5BF1-478F-AEC4-D30504AFDCF7@jabberwocky.com>
References: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com>
<43B1D926-5BF1-478F-AEC4-D30504AFDCF7@jabberwocky.com>
Message-ID: <4A0CE44A.7070800@sixdemonbag.org>
David Shaw wrote:
> The pic must be JPEG and the extension doesn't matter. GPG doesn't
> really care what the size is, but if it is over 6k, you'll get an "are
> you sure?" message, as it is kindness to the rest of the world to keep
> key sizes from getting out of control. GPG does not manipulate/resize
> the photo in any way. The command is "addphoto", in the --edit-key menu.
Is there any guidance on what size PGP expects it to be (in terms of
screen dimension, not size)?
From dshaw at jabberwocky.com Fri May 15 06:10:36 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 15 May 2009 00:10:36 -0400
Subject: Photo's in keys?
In-Reply-To: <4A0CE44A.7070800@sixdemonbag.org>
References: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com>
<43B1D926-5BF1-478F-AEC4-D30504AFDCF7@jabberwocky.com>
<4A0CE44A.7070800@sixdemonbag.org>
Message-ID: <9E9D597C-1F28-427A-AC27-40505D3AB1E9@jabberwocky.com>
On May 14, 2009, at 11:40 PM, Robert J. Hansen wrote:
> David Shaw wrote:
>> The pic must be JPEG and the extension doesn't matter. GPG doesn't
>> really care what the size is, but if it is over 6k, you'll get an
>> "are
>> you sure?" message, as it is kindness to the rest of the world to
>> keep
>> key sizes from getting out of control. GPG does not manipulate/
>> resize
>> the photo in any way. The command is "addphoto", in the --edit-key
>> menu.
>
> Is there any guidance on what size PGP expects it to be (in terms of
> screen dimension, not size)?
These days it's 120x144, but in the past it was double that (220x288).
Incidentally, GPG will allow you to have more than one photo ID, and
PGP only permits one. PGP (9, anyway) will accept a key with multiple
photo IDs, but it will only show you one photo. This is actually a
bit of a step backwards - in earlier versions it showed all photos,
even though it would only generate one itself.
David
From webmaster at felipe1982.com Sat May 16 02:34:19 2009
From: webmaster at felipe1982.com (webmaster at felipe1982.com)
Date: Fri, 15 May 2009 18:34:19 -0600 (MDT)
Subject: problems with PGP/MIME
Message-ID: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com>
I will do my best to describe as succinctly and clearly as possible. To
begin, I use openSUSE, openoffice for documents, and [usually] kmail for
email. I created a document in OOo and clicked on the 'email' button to
send it to my "other" email address xx at student.qut.edu.au [backup]. I sent
the file signed and encrypted. The other address has only a web interface,
and as such, has no support for PGP/MIME. As expected, I see two
attachments, application/pgp-encrypted "VERSION 1" file, and
application/octet-stream (my encrypted .odt file). It isn't actually
binary, it appeares in ASCII when downloaded and opened in text editor. I
ran it through Kgpg, and also separately through gpg command line, and was
disappointed that I did not recover my original .odt file.
The top portion contains email header information stuff (stuff I don't
want, or care to understand). There is a signature at the very bottom, but
verification fails (it is *my*own* pub/priv key pair). In the middle,
above the signature, and below the email header stuff, there is an
ascii-armoured portion of data. I have not yet attempted to select it all,
copy, paste, decrypt, because I thought to myself, "there must be a better
(read: easier) way to do this..." So, is there?
I forwarded the message back to my xx at felipe1982.com address, and viewed
it in kmail (which as you all know, supports cool things like pgp/mime).
But it (after submitting my passphrase) will not decrypt!
Is this the normal behaviour of pgp/mime. I did read a little (albeit
quickly and not in detail) of rfc3156 (is this the most recent?).
Any ideas, suggestions, comments appreciated. Thanks.
Felipe
From webmaster at felipe1982.com Sat May 16 09:41:26 2009
From: webmaster at felipe1982.com (Felipe Alvarez)
Date: Sat, 16 May 2009 17:41:26 +1000
Subject: problems with PGP/MIME
In-Reply-To: <4A0E4AAE.5000701@gbenet.com>
References: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com>
<4A0E4AAE.5000701@gbenet.com>
Message-ID: <200905161741.26379.webmaster@felipe1982.com>
On Sat, 16 May 2009 15:10:06 david wrote:
> You encrypt the document first - before sending. So type oo
document
> then encrypt it - save it it to disk then open email and add it as an
> attachment - this will preserve formatting you do not then have to
> encrypt again - you could digitally sign if you wish.
>
> David
>
> webmaster at felipe1982.com wrote:
> > I will do my best to describe as succinctly and clearly as possible.
To
> > begin, I use openSUSE, openoffice for documents, and [usually]
kmail for
> > email. I created a document in OOo and clicked on the 'email'
button to
> > send it to my "other" email address xx at student.qut.edu.au
[backup]. I
> > sent the file signed and encrypted. The other address has only a
web
> > interface, and as such, has no support for PGP/MIME. As
expected, I see
> > two attachments, application/pgp-encrypted "VERSION 1" file, and
> > application/octet-stream (my encrypted .odt file). It isn't actually
> > binary, it appeares in ASCII when downloaded and opened in text
editor. I
> > ran it through Kgpg, and also separately through gpg command
line, and
> > was disappointed that I did not recover my original .odt file.
> >
> > The top portion contains email header information stuff (stuff I
don't
> > want, or care to understand). There is a signature at the very
bottom,
> > but verification fails (it is *my*own* pub/priv key pair). In the
middle,
> > above the signature, and below the email header stuff, there is an
> > ascii-armoured portion of data. I have not yet attempted to select
it
> > all, copy, paste, decrypt, because I thought to myself, "there must
be a
> > better (read: easier) way to do this..." So, is there?
> >
> > I forwarded the message back to my xx at felipe1982.com address,
and viewed
> > it in kmail (which as you all know, supports cool things like
pgp/mime).
> > But it (after submitting my passphrase) will not decrypt!
> >
> > Is this the normal behaviour of pgp/mime. I did read a little (albeit
> > quickly and not in detail) of rfc3156 (is this the most recent?).
> >
> > Any ideas, suggestions, comments appreciated. Thanks.
> >
> > Felipe
> >
> >
> >
> >
> >
> > _______________________________________________
> > Gnupg-users mailing list
> > Gnupg-users at gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
I assume[d] (maybe incorrectly?) that clients without support for
pgp/mime would still be able to manually extract/download the
attachments and manually decrypt them and reliably open, read and
change them. Does the RFC allow for 'legacy' email clients to still
read/decrypt attachments as normal?
Felipe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 258 bytes
Desc: This is a digitally signed message part.
URL:
From kloecker at kde.org Sat May 16 12:13:55 2009
From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=)
Date: Sat, 16 May 2009 12:13:55 +0200
Subject: problems with PGP/MIME
In-Reply-To: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com>
References: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com>
Message-ID: <200905161213.56202@thufir.ingo-kloecker.de>
On Saturday 16 May 2009, webmaster at felipe1982.com wrote:
> I will do my best to describe as succinctly and clearly as possible.
> To begin, I use openSUSE, openoffice for documents, and [usually]
> kmail for email. I created a document in OOo and clicked on the
> 'email' button to send it to my "other" email address
> xx at student.qut.edu.au [backup]. I sent the file signed and encrypted.
> The other address has only a web interface, and as such, has no
> support for PGP/MIME. As expected, I see two attachments,
> application/pgp-encrypted "VERSION 1" file, and
> application/octet-stream (my encrypted .odt file).
The application/octet-stream attachment does not only contain your
encrypted .odt file, but the whole MIME structure of your message
(after signing and before encryption) including the attached .odt file.
> It isn't actually
> binary, it appeares in ASCII when downloaded and opened in text
> editor. I ran it through Kgpg, and also separately through gpg
> command line, and was disappointed that I did not recover my original
> .odt file.
>
> The top portion contains email header information stuff (stuff I
> don't want, or care to understand). There is a signature at the very
> bottom, but verification fails (it is *my*own* pub/priv key pair).
That's because KGpg probably does not know how to verify PGP/MIME
signatures correctly.
> In
> the middle, above the signature, and below the email header stuff,
> there is an ascii-armoured portion of data. I have not yet attempted
> to select it all, copy, paste, decrypt, because I thought to myself,
> "there must be a better (read: easier) way to do this..." So, is
> there?
The "ascii-armoured portion of data" is most likely the base64
encoded .odt attachment. Try running it through
base64 -di < "ascii-armoured portion of data" >foo.odt
base64 is part of the coreutils.
> I forwarded the message back to my xx at felipe1982.com address, and
> viewed it in kmail (which as you all know, supports cool things like
> pgp/mime). But it (after submitting my passphrase) will not decrypt!
Hmm. No idea unless you did not make sure that the message is also
encrypted with your own key.
> Is this the normal behaviour of pgp/mime. I did read a little (albeit
> quickly and not in detail) of rfc3156 (is this the most recent?).
In theory, PGP/MIME allows arbitrary complex hierarchies of signed and
encrypted body parts.
In practice, KMail (and probably most other PGP/MIME capable email
clients) encrypt the whole message (except for the email headers) after
the optional signing step, i.e. the text and all attachments. Now, if
you decrypt the encrypted "attachment" in the received message, you
will get something like you write above.
I'm not sure what your use-case is. If it's for backup purposes (as
indicated above), then I suggest to sign and encrypt the .odt file with
KGpg and then attach this signed&encrypted attachment to a message.
This message should then not be encrypted because otherwise you'll have
the same situation as above. Signing the message should be okay.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL:
From webmaster at felipe1982.com Sat May 16 16:16:08 2009
From: webmaster at felipe1982.com (Felipe Alvarez)
Date: Sun, 17 May 2009 00:16:08 +1000
Subject: problems with PGP/MIME
In-Reply-To: <200905161213.56202@thufir.ingo-kloecker.de>
References: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com>
<200905161213.56202@thufir.ingo-kloecker.de>
Message-ID: <200905170016.23075.webmaster@felipe1982.com>
On Sat, 16 May 2009 20:13:55 Ingo Kl?cker wrote:
> On Saturday 16 May 2009, webmaster at felipe1982.com wrote:
> > I will do my best to describe as succinctly and clearly as possible.
> > To begin, I use openSUSE, openoffice for documents, and
[usually]
> > kmail for email. I created a document in OOo and clicked on the
> > 'email' button to send it to my "other" email address
> > xx at student.qut.edu.au [backup]. I sent the file signed and
encrypted.
> > The other address has only a web interface, and as such, has no
> > support for PGP/MIME. As expected, I see two attachments,
> > application/pgp-encrypted "VERSION 1" file, and
> > application/octet-stream (my encrypted .odt file).
>
> The application/octet-stream attachment does not only contain your
> encrypted .odt file, but the whole MIME structure of your message
> (after signing and before encryption) including the attached .odt file.
>
> > It isn't actually
> > binary, it appeares in ASCII when downloaded and opened in text
> > editor. I ran it through Kgpg, and also separately through gpg
> > command line, and was disappointed that I did not recover my
original
> > .odt file.
> >
> > The top portion contains email header information stuff (stuff I
> > don't want, or care to understand). There is a signature at the
very
> > bottom, but verification fails (it is *my*own* pub/priv key pair).
>
> That's because KGpg probably does not know how to verify
PGP/MIME
> signatures correctly.
>
> > In
> > the middle, above the signature, and below the email header stuff,
> > there is an ascii-armoured portion of data. I have not yet
attempted
> > to select it all, copy, paste, decrypt, because I thought to myself,
> > "there must be a better (read: easier) way to do this..." So, is
> > there?
>
> The "ascii-armoured portion of data" is most likely the base64
> encoded .odt attachment. Try running it through
>
> base64 -di < "ascii-armoured portion of data" >foo.odt
>
> base64 is part of the coreutils.
>
> > I forwarded the message back to my xx at felipe1982.com address,
and
> > viewed it in kmail (which as you all know, supports cool things like
> > pgp/mime). But it (after submitting my passphrase) will not
decrypt!
>
> Hmm. No idea unless you did not make sure that the message is
also
> encrypted with your own key.
>
> > Is this the normal behaviour of pgp/mime. I did read a little (albeit
> > quickly and not in detail) of rfc3156 (is this the most recent?).
>
> In theory, PGP/MIME allows arbitrary complex hierarchies of signed
and
> encrypted body parts.
>
> In practice, KMail (and probably most other PGP/MIME capable
email
> clients) encrypt the whole message (except for the email headers)
after
> the optional signing step, i.e. the text and all attachments. Now, if
> you decrypt the encrypted "attachment" in the received message,
you
> will get something like you write above.
>
> I'm not sure what your use-case is. If it's for backup purposes (as
> indicated above), then I suggest to sign and encrypt the .odt file with
> KGpg and then attach this signed&encrypted attachment to a
message.
> This message should then not be encrypted because otherwise
you'll have
> the same situation as above. Signing the message should be okay.
>
>
> Regards,
> Ingo
As it turns out, the attachment was base64 encoded, and the code
you asked me to run worked correctly and the file opened beautifully
in Ooo again!
I restared Kmail, and this time it __did__ decrypt the message (it had
failed to do this earlier). All-in-all, clients without pgp/mime are a PITA.
Use ascii armour or encrypt attachments before attaching (not
encryption after attaching as in pgp/mime.)
Felipe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 258 bytes
Desc: This is a digitally signed message part.
URL:
From rjh at sixdemonbag.org Sat May 16 16:49:41 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 16 May 2009 10:49:41 -0400
Subject: problems with PGP/MIME
In-Reply-To: <200905170016.23075.webmaster@felipe1982.com>
References: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com> <200905161213.56202@thufir.ingo-kloecker.de>
<200905170016.23075.webmaster@felipe1982.com>
Message-ID: <4A0ED285.6020603@sixdemonbag.org>
Felipe Alvarez wrote:
> As it turns out, the attachment was base64 encoded, and the code
> you asked me to run worked correctly and the file opened beautifully
> in Ooo again!
We're glad your problem has been solved. :) However, in the future,
could you please trim your quotes? I would appreciate it, as would I
think many others.
From louis.capuani at gmail.com Sat May 16 23:33:58 2009
From: louis.capuani at gmail.com (Lucio Capuani)
Date: Sat, 16 May 2009 23:33:58 +0200
Subject: There are actually two public keys?
Message-ID:
Hello everybody and thank you for reading. I have a pretty good
understanding of how asymmetric cryptography works in general. Nevertheless,
the fact that GPG uses "two keys", I mean a main key and a subkey, confuses
me. Are those "two keys" the private/public pair? Or it's else? The subkey
is a public key (it must be); since you use it for encryption, that's the
one you *publish* to the World so it can crypt stuff for you. So far so
good. Now for the other key. Is that to be meant as the "private" key, since
is the one that's used for signing? Since that is also the key that people
do sign; I think the answer is NO, but I'm not sure. My idea is that *both
of those keys are public keys*; one of those public keys is used by other to
crypt stuff (the "sub", as seen above) and the other is used to VALIDATE
your signature; and that's the one people do sign to acknowledge that that
it's yours. So, that key is public too! If that's correct (it is?) it would
be more adequate to say that gpg generates a triplet of keys rather than a
pair then?; two public keys and one private. If the private is only one of
course. And if I got all of this right. :-) Please kindly enlight me,
because all the documentation browsing I did was unsuccessful for this
purpose. Thank you SO much everybody! Lucio Capuani
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rjh at sixdemonbag.org Sun May 17 00:41:56 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 16 May 2009 18:41:56 -0400
Subject: There are actually two public keys?
In-Reply-To:
References:
Message-ID: <4A0F4134.4080307@sixdemonbag.org>
Lucio Capuani wrote:
> Nevertheless, the fact that GPG uses "two keys", I mean a main key and a
> subkey, confuses me. Are those "two keys" the private/public pair? Or
> it's else?
There are two keypairs. One keypair is used for signing, and the other
is used for encrypting. The private part of the signing keypair is used
to generate signatures; the public part is used to verify them.
Likewise, the private part of the encryption keypair is used to decrypt
documents; the public part is used to encrypt them.
From dshaw at jabberwocky.com Sun May 17 01:34:09 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat, 16 May 2009 19:34:09 -0400
Subject: There are actually two public keys?
In-Reply-To:
References:
Message-ID: <2A9928AB-2A3E-46B4-BD6E-C7369574855E@jabberwocky.com>
On May 16, 2009, at 5:33 PM, Lucio Capuani wrote:
> Hello everybody and thank you for reading. I have a pretty good
> understanding of how asymmetric cryptography works in general.
> Nevertheless, the fact that GPG uses "two keys", I mean a main key
> and a subkey, confuses me. Are those "two keys" the private/public
> pair? Or it's else? The subkey is a public key (it must be); since
> you use it for encryption, that's the one you *publish* to the World
> so it can crypt stuff for you. So far so good. Now for the other
> key. Is that to be meant as the "private" key, since is the one
> that's used for signing? Since that is also the key that people do
> sign; I think the answer is NO, but I'm not sure. My idea is that
> *both of those keys are public keys*; one of those public keys is
> used by other to crypt stuff (the "sub", as seen above) and the
> other is used to VALIDATE your signature; and that's the one people
> do sign to acknowledge that that it's yours. So, that key is public
> too!
Exactly right. In your example, both the primary key and the subkey
are public keys.
Basically, you can have multiple public/private key pairs. When
people say "public key" in the OpenPGP world, they generally mean "My
public primary key, and any public subkey(s)". Similarly, when people
say "secret key" or "private key" in the OpenPGP world, they generally
mean "My secret primary key, and any secret subkey(s)".
The common OpenPGP key of a primary key and one subkey is 2 key pairs:
the public primary, and its secret, and the public subkey, and its
secret. Each additional subkey is a public/private key pair on its own.
David
From jh at jameshoward.us Sun May 17 02:37:30 2009
From: jh at jameshoward.us (James P. Howard, II)
Date: Sat, 16 May 2009 20:37:30 -0400
Subject: There are actually two public keys?
In-Reply-To: <4A0F4134.4080307@sixdemonbag.org>
References:
<4A0F4134.4080307@sixdemonbag.org>
Message-ID: <4A0F5C4A.8040104@jameshoward.us>
On Sat May 16 18:41:56 2009, Robert J. Hansen wrote:
> There are two keypairs. One keypair is used for signing, and the other
> is used for encrypting. The private part of the signing keypair is used
> to generate signatures; the public part is used to verify them.
> Likewise, the private part of the encryption keypair is used to decrypt
> documents; the public part is used to encrypt them.
Can anyone explain why there is a difference between signing and
encrypting keypairs, even for the same type (RSA)?
James
--
James P. Howard, II, MPA
jh at jameshoward.us
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
From rjh at sixdemonbag.org Sun May 17 03:33:10 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 16 May 2009 21:33:10 -0400
Subject: There are actually two public keys?
In-Reply-To: <4A0F5C4A.8040104@jameshoward.us>
References:
<4A0F4134.4080307@sixdemonbag.org>
<4A0F5C4A.8040104@jameshoward.us>
Message-ID: <4A0F6956.6040309@sixdemonbag.org>
James P. Howard, II wrote:
> Can anyone explain why there is a difference between signing and
> encrypting keypairs, even for the same type (RSA)?
The shift from single keypairs to multiple keypairs was motivated by a
lot of concerns. IMO, most of those concerns failed to materialize.
For instance, some people say that separate signing and encrypting keys
is best, since if an encryption key gets compromised you can just revoke
the encryption part and leave your signing key intact. In reality,
compromise tends to be an all or nothing affair: either the entire cert
is suspect or it's not.
From louis.capuani at gmail.com Sun May 17 03:14:16 2009
From: louis.capuani at gmail.com (Lucio Capuani)
Date: Sun, 17 May 2009 03:14:16 +0200
Subject: There are actually two public keys?
In-Reply-To: <4A0F5C4A.8040104@jameshoward.us>
References:
<4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us>
Message-ID:
Tanks David and Robert for your informative (and?quick)?replies. It's
much more clear now. But, am I the only one to think that the
documentation is pretty misleading about "pairs" of keys, and that GPG
generate 'a' keypair (With gpg --gen-key a new key-pair is
created...), and moreover, that one of the (actually) two generated
keypairs is tagged as... "pub"?
> Can anyone explain why there is a difference between signing and
> encrypting keypairs, even for the same type (RSA)?
As far as I've understood from the documentation, one of the reason
should be that it would be?good practice to keep the signing key valid
indefinitely (thus, having one that never expires so old signatures
can be verified too) and renew the cryptographic one pretty often for
security reason. As before, I'd love to get confirmations or denials
of that ;), and if there's else about it.
Thanks so much!
--
Lucio Capuani
From dshaw at jabberwocky.com Sun May 17 05:40:10 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat, 16 May 2009 23:40:10 -0400
Subject: There are actually two public keys?
In-Reply-To:
References:
<4A0F4134.4080307@sixdemonbag.org>
<4A0F5C4A.8040104@jameshoward.us>
Message-ID: <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com>
On May 16, 2009, at 9:14 PM, Lucio Capuani wrote:
>> Can anyone explain why there is a difference between signing and
>> encrypting keypairs, even for the same type (RSA)?
>
> As far as I've understood from the documentation, one of the reason
> should be that it would be good practice to keep the signing key valid
> indefinitely (thus, having one that never expires so old signatures
> can be verified too) and renew the cryptographic one pretty often for
> security reason. As before, I'd love to get confirmations or denials
> of that ;), and if there's else about it.
That's one of the reasons. There were actually a good few reasons for
the switch at the time (the "PGP 3" timeframe, which became the PGP
5.0 product). One reason was legal, and not technical. RSA was still
patented at the time, so that couldn't as easily be used. DSA was
chosen, but DSA can't encrypt, which pretty much required a multiple
key (primary key + subkeys) solution. In addition, though, the
multiple key solution was chosen for its flexibility, as you noted.
It is handy to be able to make multiple subkeys and regenerate them as
needed.
One thing the multiple subkey design makes possible is to keep the
primary key offline altogether, and just use subkeys for all the day
to day encryption and signing needs. In this way of working, the
primary key is only used for two purposes: to make new subkeys when
that becomes necessary, and to sign other people's keys. When it is
not in use (i.e. most of the time), the primary key is stored on
separate media (say, a CD-ROM or USB stick). See the --export-secret-
subkeys description in the GPG manual for more on this.
Note, though, that if you want a single key for everything, you can
still do that. Generate yourself an RSA key using the --expert flag,
and you can create a key that is capable of both encrypting and
signing in a single key. It's unusual, and I don't recommend it, but
GPG will happily use it.
David
From gpg2.20.maniams at dfgh.net Sat May 16 17:33:19 2009
From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net)
Date: Sat, 16 May 2009 19:33:19 +0400
Subject: 1) How to migrate Keys from PGP to GPG 2) Is the reverse possible ?
Message-ID: <5313cd090905160833w2e3c0e3bs79ad5c712a0b4e13@mail.gmail.com>
Hi
Request list members to help me with _command_line_ tips on how to migrate
keys from PGP (6.5.x CKT) to GPG 1.4.9.
Is the converse possible i.e. send keys from GPG 1.4.9. to PGP (6.5.x CKT)
I work on a Windows XP environment . I do _not_ use any GPG front ends....
regards
maniams
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From steveo at syslang.net Mon May 18 01:21:35 2009
From: steveo at syslang.net (Steven W. Orr)
Date: Sun, 17 May 2009 19:21:35 -0400 (EDT)
Subject: There are actually two public keys?
In-Reply-To: <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com>
References:
<4A0F4134.4080307@sixdemonbag.org>
<4A0F5C4A.8040104@jameshoward.us>
<7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com>
Message-ID:
On Saturday, May 16th 2009 at 23:40 -0000, quoth David Shaw:
=>On May 16, 2009, at 9:14 PM, Lucio Capuani wrote:
=>
=>> > Can anyone explain why there is a difference between signing and
=>> > encrypting keypairs, even for the same type (RSA)?
=>>
=>> As far as I've understood from the documentation, one of the reason
=>> should be that it would be good practice to keep the signing key valid
=>> indefinitely (thus, having one that never expires so old signatures
=>> can be verified too) and renew the cryptographic one pretty often for
=>> security reason. As before, I'd love to get confirmations or denials
=>> of that ;), and if there's else about it.
=>
=>That's one of the reasons. There were actually a good few reasons for the
=>switch at the time (the "PGP 3" timeframe, which became the PGP 5.0 product).
=>One reason was legal, and not technical. RSA was still patented at the time,
=>so that couldn't as easily be used. DSA was chosen, but DSA can't encrypt,
=>which pretty much required a multiple key (primary key + subkeys) solution.
=>In addition, though, the multiple key solution was chosen for its flexibility,
=>as you noted. It is handy to be able to make multiple subkeys and regenerate
=>them as needed.
=>
=>One thing the multiple subkey design makes possible is to keep the primary key
=>offline altogether, and just use subkeys for all the day to day encryption and
=>signing needs. In this way of working, the primary key is only used for two
=>purposes: to make new subkeys when that becomes necessary, and to sign other
=>people's keys. When it is not in use (i.e. most of the time), the primary key
=>is stored on separate media (say, a CD-ROM or USB stick). See the
=>--export-secret-subkeys description in the GPG manual for more on this.
=>
=>Note, though, that if you want a single key for everything, you can still do
=>that. Generate yourself an RSA key using the --expert flag, and you can
=>create a key that is capable of both encrypting and signing in a single key.
=>It's unusual, and I don't recommend it, but GPG will happily use it.
This is somewhat of a revelation to me, but I admit I'm a little new to
this so can't claim that it's a big revelation.
I have read up on the theory of asymmetric crypto and I'm comfortable with
that side of it, but I'd like to learn more on the technical side,
especially as it pertains specifically to gpg. I have read the GPG and PGP
book by Lucas and I also read the old PGP book by Garfinkel.
I look at the output of gpg2 -K and I never actually saw anything that
describes what the sec, uid and ssb rows mean. I don't see a concise
description of how and when the different data items are used to ref a key
in a gpg command, e.g., when do I use a fingerprint? what's the proper
thing to use when specifying an operation? It's sort of analogous to
knowing how to create a complex definition in C and also being able to
deref it. (Most programmers, don't usually get it right when they try to
distinguish between an array of ptrs to ints vs a ptr to an array of
ints.) How do I make use of multiple subkeys and when and why do I want to
do this? Things like that.
Any suggestions?
--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
From Resul-Cetin at gmx.net Fri May 15 12:30:27 2009
From: Resul-Cetin at gmx.net (Resul Cetin)
Date: Fri, 15 May 2009 12:30:27 +0200
Subject: Changing usage of master key
Message-ID: <200905151230.27573.Resul-Cetin@gmx.net>
Hi,
I generated a new RSA cert/sign key. Default is to use it as sign and cert,
but I wanted to use a seperated sign subkey and use the master key only for
cert stuff. Is it possible to change it afterwards and how to do it? I have no
fear of hex editors and unix commandline tools. My first idea is to switch a
bit somewhere in a `gpg --export` and then reimport it to do a resign of the
key and upload it again to a key server.
Is there now a good way to move a subkey between two keys? The method
described at http://atom.smasher.org/gpg/gpg-migrate.txt don't work because in
the step "resign using the expire trick" doesn't work. I cannot see a usage
behind the short output of the `key` command in --edit-key and when I try to
save it after the resign, gpg will end with 2 as return code (I would assume
that the key and its subkey wasn't saved). A export and reimport afterwards
removes the "moved" key.
Can you please cc me, because I am not subscribed to the mailing list (but
will look at the archives from time to time).
Best regards,
Resul Cetin
From robert.stemper at parknicollet.com Fri May 15 18:27:46 2009
From: robert.stemper at parknicollet.com (Stemper, Robert (Bob))
Date: Fri, 15 May 2009 11:27:46 -0500
Subject: Configure error libgcrypt and libgpg-error
Message-ID: <6993ECE27A020546A47BAB2CD95FBB1F7E455139@EXVS2.master.com>
Hi.
I am trying to install the GPG 2.0 package and need to first install the prereq packages, as listed in the readme.
GnuPG 2.0 depends on the following packages:
libgpg-error (ftp://ftp.gnupg.org/gcrypt/libgpg-error/)
libgcrypt (ftp://ftp.gnupg.org/gcrypt/libgcrypt/)
libksba (ftp://ftp.gnupg.org/gcrypt/libksba/)
libassuan (ftp://ftp.gnupg.org/gcrypt/libassuan/)
I have just compiled and installed the libgpg-error-1.7 package (on a AIX 6.1 system -PowerPC Power6) ) . Then I tried to install the libgcrypt -1.4.4 package next, but the configure step failed with the error,
...
checking whether padlock support is requested... yes
checking for gpg-error-config... no
checking for GPG Error - version >= 1.4... no
configure: error: libgpg-error is needed.
See ftp://ftp.gnupg.org/gcrypt/libgpg-error/ .
although this package did install fine, and this file is located under the default lib dir of /usr/local/lib.
Any idea?
Bob
________________________________
PRIVACY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain business confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If this e-mail was not intended for you, please notify the sender by reply e-mail that you received this in error. Destroy all copies of the original message and attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From jnhemley at yahoo.com Mon May 18 03:08:40 2009
From: jnhemley at yahoo.com (jnhemley)
Date: Sun, 17 May 2009 18:08:40 -0700 (PDT)
Subject: Import Secret Key
Message-ID: <23589668.post@talk.nabble.com>
I was sent a file to decrypt. I got an error saying "secret key not
available". I then tried to import a secret key from my original file. I got
an error "permission Denied" along wile "file rename error" and "error
reading file". What am I doing wrong ?
--
View this message in context: http://www.nabble.com/Import-Secret-Key-tp23589668p23589668.html
Sent from the GnuPG - User mailing list archive at Nabble.com.
From fpatnaikk at westpac.com.au Mon May 18 03:05:37 2009
From: fpatnaikk at westpac.com.au (Farha Patnaikk)
Date: Mon, 18 May 2009 11:05:37 +1000
Subject: gpg: mpi too large for this implementation (20744 bits)
Message-ID:
Hi,
I am exchanging files with another party , i use Version : 7.1.1 of pgp .
The party with whome i am exchanging files uses gpg.
I am able to decrypt their encrypted file successfully but they are not
able to decrypt my encrypted file. They get the
following error message
C:\Temp>gpg --homedir "C:\temp" --output 01.txt --decrypt testfile.dat.pgp
gpg: mpi too large for this implementation (20744 bits)
C:\Temp>gpg --homedir "C:\temp" --output 01.txt --openpgp --decrypt
testfile.dat
.pgp
gpg: mpi too large for this implementation (20744 bits)
what could be the reason for this ??? I am not able to find any help on
the internet.
Please try to help me .
Thanks.
Regards,
Farha Patnaikk | Consultant | Corporate Core Projects & Technology |
Westpac Banking Corporation
Level 17, 275 Kent Street, Sydney NSW 2000 Australia
Phone +61 8254 (2)7547 | fpatnaikk at westpac.com.au
Please consider our environment before printing this email.
WARNING - This email and any attachments may be confidential. If received in error, please delete and inform us by return email. Because emails and attachments may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems, you must be cautious. Westpac cannot guarantee that what you receive is what we sent. If you have any doubts about the authenticity of an email by Westpac, please contact us immediately.
It is also important to check for viruses and defects before opening or using attachments. Westpac's liability is limited to resupplying any affected attachments.
This email and its attachments are not intended to constitute any form of financial advice or recommendation of, or an offer to buy or offer to sell, any security or other financial product. We recommend that you seek your own independent legal or financial advice before proceeding with any investment decision.
Westpac Institutional Bank is a division of Westpac Banking Corporation, a company registered in New South Wales in Australia under the Corporations Act 2001 (Cth). Westpac is authorised and regulated in the United Kingdom by the Financial Services Authority and is registered at Cardiff in the United Kingdom as Branch No. BR 106. Westpac operates in the United States of America as a federally chartered branch, regulated by the Office of the Comptroller of the Currency.
Westpac Banking Corporation ABN 33 007 457 141.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From sk at intertivity.com Mon May 18 12:19:39 2009
From: sk at intertivity.com (Sascha Kiefer)
Date: Mon, 18 May 2009 14:19:39 +0400
Subject: mpi too large for this implementation (20744 bits)
In-Reply-To:
References:
Message-ID: <007d01c9d7a2$284f76e0$78ee64a0$@com>
You may try
gpg --print-md sha1 testfile.dat.pgp
to ensure that the file is not corrupted during transport.
HTH
Sascha
From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org]
On Behalf Of Farha Patnaikk
Sent: Montag, 18. Mai 2009 05:06
To: gnupg-users at gnupg.org
Subject: gpg: mpi too large for this implementation (20744 bits)
Hi,
I am exchanging files with another party , i use Version : 7.1.1 of pgp .
The party with whome i am exchanging files uses gpg.
I am able to decrypt their encrypted file successfully but they are not able
to decrypt my encrypted file. They get the
following error message
C:\Temp>gpg --homedir "C:\temp" --output 01.txt --decrypt testfile.dat.pgp
gpg: mpi too large for this implementation (20744 bits)
C:\Temp>gpg --homedir "C:\temp" --output 01.txt --openpgp --decrypt
testfile.dat
.pgp
gpg: mpi too large for this implementation (20744 bits)
what could be the reason for this ??? I am not able to find any help on the
internet.
Please try to help me .
Thanks.
Regards,
Farha Patnaikk | Consultant | Corporate Core Projects & Technology | Westpac
Banking Corporation
Level 17, 275 Kent Street, Sydney NSW 2000 Australia
Phone +61 8254 (2)7547 | fpatnaikk at westpac.com.au
Please consider our environment before printing this email.
WARNING - This email and any attachments may be confidential. If received in
error, please delete and inform us by return email. Because emails and
attachments may be interfered with, may contain computer viruses or other
defects and may not be successfully replicated on other systems, you must be
cautious. Westpac cannot guarantee that what you receive is what we sent. If
you have any doubts about the authenticity of an email by Westpac, please
contact us immediately.
It is also important to check for viruses and defects before opening or
using attachments. Westpac's liability is limited to resupplying any
affected attachments.
This email and its attachments are not intended to constitute any form of
financial advice or recommendation of, or an offer to buy or offer to sell,
any security or other financial product. We recommend that you seek your own
independent legal or financial advice before proceeding with any investment
decision.
Westpac Institutional Bank is a division of Westpac Banking Corporation, a
company registered in New South Wales in Australia under the Corporations
Act 2001 (Cth). Westpac is authorised and regulated in the United Kingdom by
the Financial Services Authority and is registered at Cardiff in the United
Kingdom as Branch No. BR 106. Westpac operates in the United States of
America as a federally chartered branch, regulated by the Office of the
Comptroller of the Currency.
Westpac Banking Corporation ABN 33 007 457 141.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From jmoore3rd at bellsouth.net Mon May 18 13:10:20 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Mon, 18 May 2009 07:10:20 -0400
Subject: Import Secret Key
In-Reply-To: <23589668.post@talk.nabble.com>
References: <23589668.post@talk.nabble.com>
Message-ID: <4A11421C.5090001@bellsouth.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
jnhemley wrote:
> I was sent a file to decrypt. I got an error saying "secret key not
> available". I then tried to import a secret key from my original file. I got
> an error "permission Denied" along wile "file rename error" and "error
> reading file". What am I doing wrong ?
Sounds like the 'failed/forgot' to encrypt the file to Your Key.
Perhaps You should request a resend.
JOHN ;)
Timestamp: Monday 18 May 2009, 07:10 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn5005: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx
iQEcBAEBCgAGBQJKEUIZAAoJEBCGy9eAtCsPK64H/RiRmwRBZgd3GLmtWUDrH2p7
8vCP3isy9IuKzMZ5OjmG3oYJP9E/M8zLwgs5U1Vvvy/lhCiLrRp40ixCyABM0eU4
OiHxjPhvK6K6TPR3LCHc7zTE1HVr3Y41vcBDmlBZBwLBUE9dJ1Y3Quz0WwaylYc+
rlNGpoU5EJ6+Bg+tHdhALtuMSYcVPYod8CXmaeJaBNV3bnfsyYMyohSF7eM2EmDj
C/wAFXv93vYr0coGHpE3n/46cbxXVBr0d1/n5EZb6JzhSc+x9LqY6x/XQG7lgxpV
fxiDHs15vYo/th16/i0sFAmkbuh8+mGVLBHQv+GXBgzksPbxBSorbI3VkUvyaYs=
=tDpU
-----END PGP SIGNATURE-----
From rah at shipwright.com Mon May 18 14:45:38 2009
From: rah at shipwright.com (R.A. Hettinga)
Date: Mon, 18 May 2009 08:45:38 -0400
Subject: There are actually two public keys?
In-Reply-To:
References:
<4A0F4134.4080307@sixdemonbag.org>
<4A0F5C4A.8040104@jameshoward.us>
<7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com>
Message-ID:
I passed this on to Jon Callas. Here's what he came back with...
Cheers,
RAH
-------
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
My apologies for top-posting, and please forward this on.
I'm going to agree slightly differently with David Shaw.
The reason for it is a notion of what's called "key hygiene," and
that's an important concept in RSA usage. That is the notion that one
should never sign with an encryption key, and never encrypt with a
signing key.
The reason for RSA is that every signature is a decryption, and every
encryption is a signature verification. The worry is that if you use
one key for both encrypting and signing, there's the possibility that
something exists that corresponds to that encryption as a signature.
And actually, such a thing must exist. In the hyperbole of the time,
there's the possibility that a murder confession exists that
corresponds to every encryption. I'm probably not explaining it as
well as others could, mostly because it's late as I write this, and it
always made me roll my eyes when I heard it.
The idea is arguably daft, but less so if you have weak hash
functions, perhaps. Nonetheless, it does make sense that since
encrypting and signing are the reverses of each other in RSA, you
should just make the policy decision to use a key *either* for
encrypting or signing, but not both.
That's the real reason for the dual key stuff in PGP 3, and thus
OpenPGP.
The discrete log stuff followed, but that was events catching up with
design. The DSA/Elgamal versions came very close to never being
shipped. Key hygiene was the first reason for the dual key structure.
Jon
On May 17, 2009, at 4:32 PM, R.A. Hettinga wrote:
>
>
> Begin forwarded message:
>
>> From: "Steven W. Orr"
>> Date: May 17, 2009 7:21:35 PM GMT-04:00
>> To: GnuPG Users
>> Subject: Re: There are actually two public keys?
>>
>> On Saturday, May 16th 2009 at 23:40 -0000, quoth David Shaw:
>>
>> =>On May 16, 2009, at 9:14 PM, Lucio Capuani wrote:
>> =>
>> =>> > Can anyone explain why there is a difference between signing
>> and
>> =>> > encrypting keypairs, even for the same type (RSA)?
>> =>>
>> =>> As far as I've understood from the documentation, one of the
>> reason
>> =>> should be that it would be good practice to keep the signing
>> key valid
>> =>> indefinitely (thus, having one that never expires so old
>> signatures
>> =>> can be verified too) and renew the cryptographic one pretty
>> often for
>> =>> security reason. As before, I'd love to get confirmations or
>> denials
>> =>> of that ;), and if there's else about it.
>> =>
>> =>That's one of the reasons. There were actually a good few
>> reasons for the
>> =>switch at the time (the "PGP 3" timeframe, which became the PGP
>> 5.0 product).
>> =>One reason was legal, and not technical. RSA was still patented
>> at the time,
>> =>so that couldn't as easily be used. DSA was chosen, but DSA
>> can't encrypt,
>> =>which pretty much required a multiple key (primary key + subkeys)
>> solution.
>> =>In addition, though, the multiple key solution was chosen for its
>> flexibility,
>> =>as you noted. It is handy to be able to make multiple subkeys
>> and regenerate
>> =>them as needed.
>> =>
>> =>One thing the multiple subkey design makes possible is to keep
>> the primary key
>> =>offline altogether, and just use subkeys for all the day to day
>> encryption and
>> =>signing needs. In this way of working, the primary key is only
>> used for two
>> =>purposes: to make new subkeys when that becomes necessary, and to
>> sign other
>> =>people's keys. When it is not in use (i.e. most of the time),
>> the primary key
>> =>is stored on separate media (say, a CD-ROM or USB stick). See the
>> =>--export-secret-subkeys description in the GPG manual for more on
>> this.
>> =>
>> =>Note, though, that if you want a single key for everything, you
>> can still do
>> =>that. Generate yourself an RSA key using the --expert flag, and
>> you can
>> =>create a key that is capable of both encrypting and signing in a
>> single key.
>> =>It's unusual, and I don't recommend it, but GPG will happily use
>> it.
>>
>> This is somewhat of a revelation to me, but I admit I'm a little
>> new to
>> this so can't claim that it's a big revelation.
>>
>> I have read up on the theory of asymmetric crypto and I'm
>> comfortable with
>> that side of it, but I'd like to learn more on the technical side,
>> especially as it pertains specifically to gpg. I have read the GPG
>> and PGP
>> book by Lucas and I also read the old PGP book by Garfinkel.
>>
>> I look at the output of gpg2 -K and I never actually saw anything
>> that
>> describes what the sec, uid and ssb rows mean. I don't see a
concise
>> description of how and when the different data items are used to
>> ref a key
>> in a gpg command, e.g., when do I use a fingerprint? what's the
>> proper
>> thing to use when specifying an operation? It's sort of analogous to
>> knowing how to create a complex definition in C and also being able
>> to
>> deref it. (Most programmers, don't usually get it right when they
>> try to
>> distinguish between an array of ptrs to ints vs a ptr to an array of
>> ints.) How do I make use of multiple subkeys and when and why do I
>> want to
>> do this? Things like that.
>>
>> Any suggestions?
>>
>> --
>> Time flies like the wind. Fruit flies like a banana. Stranger
>> things have .0.
>> happened but none stranger than this. Does your driver's license
>> say Organ ..0
>> Donor?Black holes are where God divided by zero. Listen to me! We
>> are all- 000
>> individuals! What if this weren't a hypothetical question?
>> steveo at syslang.net
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL:
From christoph.anton.mitterer at physik.uni-muenchen.de Mon May 18 16:35:29 2009
From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer)
Date: Mon, 18 May 2009 16:35:29 +0200
Subject: Changing usage of master key
In-Reply-To: <200905151230.27573.Resul-Cetin@gmx.net>
References: <200905151230.27573.Resul-Cetin@gmx.net>
Message-ID: <20090518163529.13695enz88rzt5wk@webmail.physik.uni-muenchen.de>
In principle it is possible by issuing new self-sigs, but gnupg
doesn't support this AFAIK.
Chris.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
From jh at jameshoward.us Mon May 18 23:49:40 2009
From: jh at jameshoward.us (James P. Howard, II)
Date: Mon, 18 May 2009 17:49:40 -0400
Subject: There are actually two public keys?
In-Reply-To:
References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com>
Message-ID: <4A11D7F4.2080104@jameshoward.us>
On Mon May 18 08:45:38 2009, R.A. Hettinga wrote:
> The reason for it is a notion of what's called "key hygiene," and
> that's an important concept in RSA usage. That is the notion that one
> should never sign with an encryption key, and never encrypt with a
> signing key.
This leads indirectly to another question: Why can't I sign someone
else's key with a subkey? And on a divergent note, using the black
magic described elsewhere[1], is it bad to convert a subkey into a
primary key and use it to sign others?
James
1. http://atom.smasher.org/gpg/gpg-migrate.txt
--
James P. Howard, II, MPA
jh at jameshoward.us
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
From dshaw at jabberwocky.com Tue May 19 01:58:08 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 18 May 2009 19:58:08 -0400
Subject: There are actually two public keys?
In-Reply-To: <4A11D7F4.2080104@jameshoward.us>
References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com>
<4A11D7F4.2080104@jameshoward.us>
Message-ID: <0E8A6406-4685-48CF-B407-FF8451E411D4@jabberwocky.com>
On May 18, 2009, at 5:49 PM, James P. Howard, II wrote:
> On Mon May 18 08:45:38 2009, R.A. Hettinga wrote:
>
>> The reason for it is a notion of what's called "key hygiene," and
>> that's an important concept in RSA usage. That is the notion that one
>> should never sign with an encryption key, and never encrypt with a
>> signing key.
>
> This leads indirectly to another question: Why can't I sign someone
> else's key with a subkey?
Signing with a subkey has a slightly different meaning than signing
with a primary key. When you sign a key, you're actually signing a
combination of the primary key and user ID that you chose to sign. If
you signed with a subkey, you'd lose the nice symmetry of signing with
the thing that your friend is also signing on your key. Rather, you'd
be signing with something one "hop" away from that primary key, as the
subkeys are signed by the primary.
Perhaps a more immediate answer is that nobody ever implemented it.
OpenPGP itself doesn't care (OpenPGP actually doesn't specify all that
much about trust models and the web of trust). Historically, the web
of trust was built between signatures between primaries, and that's
what everyone implements today. At one point there was talk of
publishing a standard for the web of trust, but there didn't seem to
be much interest in it.
> And on a divergent note, using the black
> magic described elsewhere[1], is it bad to convert a subkey into a
> primary key and use it to sign others?
To do this, you have to have the key in primary key form in the
(local) web of trust. If you don't, then the signatures won't be used.
David
From chris at chrispoole.com Tue May 19 13:32:12 2009
From: chris at chrispoole.com (Chris Poole)
Date: Tue, 19 May 2009 12:32:12 +0100
Subject: SHA1 issues, generic advice for average user?
Message-ID: <9b0fc5ee0905190432x3b792aceg68ef60dde050aeab@mail.gmail.com>
I don't use GPG all that much, but am a little concerned with the recent
SHA1 collision news.
>From what I've read on this list, it doesn't seem to be too much of an
issue.
I wonder if someone could clarify some things for me, please:
1) Is this just an issue with signatures, or does it impact the encryption
resistance?
2) I don't want to lose my current keys, as I have many files that I have
encrypted. Will changing the default hash with the setpref command in the
edit menu (to something like SHA512) help, at all?
Essentially, should an average user of GPG be doing anything? If, after
people have thought about this issue and better hashes are recommended, will
that require current keys to be discarded?
(My key is 1024D with 4096g subkey, if that makes any difference.)
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From jh at jameshoward.us Tue May 19 19:46:58 2009
From: jh at jameshoward.us (James P. Howard, II)
Date: Tue, 19 May 2009 13:46:58 -0400
Subject: There are actually two public keys?
In-Reply-To: <0E8A6406-4685-48CF-B407-FF8451E411D4@jabberwocky.com>
References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com>
<4A11D7F4.2080104@jameshoward.us>
<0E8A6406-4685-48CF-B407-FF8451E411D4@jabberwocky.com>
Message-ID: <4A12F092.3020803@jameshoward.us>
On Mon May 18 19:58:08 2009, David Shaw wrote:
> Signing with a subkey has a slightly different meaning than signing with
> a primary key. When you sign a key, you're actually signing a
> combination of the primary key and user ID that you chose to sign. If
> you signed with a subkey, you'd lose the nice symmetry of signing with
> the thing that your friend is also signing on your key. Rather, you'd
> be signing with something one "hop" away from that primary key, as the
> subkeys are signed by the primary.
>
> Perhaps a more immediate answer is that nobody ever implemented it.
> OpenPGP itself doesn't care (OpenPGP actually doesn't specify all that
> much about trust models and the web of trust). Historically, the web of
> trust was built between signatures between primaries, and that's what
> everyone implements today. At one point there was talk of publishing a
> standard for the web of trust, but there didn't seem to be much interest
> in it.
This is fascinating and I need to think about that a bit.
>> And on a divergent note, using the black
>> magic described elsewhere[1], is it bad to convert a subkey into a
>> primary key and use it to sign others?
>
> To do this, you have to have the key in primary key form in the (local)
> web of trust. If you don't, then the signatures won't be used.
Well, I did succeed in doing it last night as a test. So I guess the
bigger question, is it poor etiquette?
James
--
James P. Howard, II, MPA
jh at jameshoward.us
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
From dshaw at jabberwocky.com Wed May 20 02:19:17 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 19 May 2009 20:19:17 -0400
Subject: There are actually two public keys?
In-Reply-To: <4A12F092.3020803@jameshoward.us>
References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com>
<4A11D7F4.2080104@jameshoward.us>
<0E8A6406-4685-48CF-B407-FF8451E411D4@jabberwocky.com>
<4A12F092.3020803@jameshoward.us>
Message-ID: <2518858D-3B32-452C-A35B-F4D80F977BDC@jabberwocky.com>
On May 19, 2009, at 1:46 PM, James P. Howard, II wrote:
>>> And on a divergent note, using the black
>>> magic described elsewhere[1], is it bad to convert a subkey into a
>>> primary key and use it to sign others?
>>
>> To do this, you have to have the key in primary key form in the
>> (local)
>> web of trust. If you don't, then the signatures won't be used.
>
> Well, I did succeed in doing it last night as a test. So I guess the
> bigger question, is it poor etiquette?
I wouldn't think so. The rest of the world will likely never even
notice that you're doing it, and the only person who you can really
hurt here is yourself. At worst, you'd be denying other people the
use of some key signatures that you made.
David
From webmaster at felipe1982.com Wed May 20 14:23:30 2009
From: webmaster at felipe1982.com (Felipe Alvarez)
Date: Wed, 20 May 2009 22:23:30 +1000
Subject: gpg: mpi too large for this implementation (20744 bits)
In-Reply-To:
References:
Message-ID: <200905202223.41310.webmaster@felipe1982.com>
On Mon, 18 May 2009 11:05:37 Farha Patnaikk wrote:
> C:\Temp>gpg --homedir "C:\temp" --output 01.txt --decrypt
testfile.dat.pgp
> gpg: mpi too large for this implementation (20744 bits)
>
> C:\Temp>gpg --homedir "C:\temp" --output 01.txt --openpgp --decrypt
> testfile.dat
> .pgp
> gpg: mpi too large for this implementation (20744 bits)
Is the recipient able to verify your signature?
Felipe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 258 bytes
Desc: This is a digitally signed message part.
URL:
From kaustubh.gadkari at gmail.com Wed May 20 17:13:50 2009
From: kaustubh.gadkari at gmail.com (kaustubh.gadkari at gmail.com)
Date: Wed, 20 May 2009 09:13:50 -0600 (MDT)
Subject: gpgme does not find key for user after setuid()
Message-ID:
Hi,
I have a signer, that I run as root, but which drops privileges to a user 'A', using setuid(). I run the signer with the command below:
./simple-signer 'name of key' 'data to sign' A
When run like this, the signer does not find the key for user A.
If I run the signer as user A:
./simple-signer 'name of key' 'data to sign'
gpgme finds the key.
Any pointers as to why this happens would be appreciated.
Thanks,
Kaustubh
--
Kaustubh Gadkari
kaustubh [dot] gadkari [at] gmail [dot] com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 270 bytes
Desc: OpenPGP digital signature
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: simple-signer.cc
Type: text/x-c++src
Size: 5419 bytes
Desc: not available
URL:
From arizonagroovejet at gmail.com Wed May 20 21:00:42 2009
From: arizonagroovejet at gmail.com (mike _)
Date: Wed, 20 May 2009 20:00:42 +0100
Subject: Can't enter passphrase in su session.
Message-ID: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com>
I have an account, bob, on a machine that is used for building rpms
and then creating and signing a repository.
If I log in to the machine as bob via ssh and run
$ gpg -a --detach-sign somedir/repodata/repomd.xml
then all is well.
As the bob account will be used by multiple people I want to block ssh
logins for bob and have people log in via ssh with their own account
and use 'su -' to become the user. This then leaves a trail in the log
of who became bob when. But, if I log in to the machine as myself,
then do
$ su - bob
Then run
$ gpg -a --detach-sign somedir/repodata/repomd.xml
I get
gpg: using PGP trust model
gpg: key B97DE878: accepted as trusted key
You need a passphrase to unlock the secret key for
user: "Bob"
4096-bit RSA key, ID B97DE878, created 2009-05-19
can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory
gpg: no running gpg-agent - starting one
gpg-agent[29808]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: no default secret key: General error
gpg: signing failed: General error
I'm never given a chance to enter the passphrase, gpg just declares
failure and tells me I canceled the operation. Which I didn't.
I've compared the output of 'env' for both an ssh login session and
'su -' session and apart from a few variables relating to ssh, they're
the same.
There must be something different about the sessions that explains why
I'm never given a chance to enter the passphrase in the 'su -'
session, but I'm at a loss as to what.
I did try searching the mailing lists and Google, but 'su' results in
an huge amount of (at least seemingly) irrelevant hits, so I gave up
fairly quickly!
Can anyone offer any insight in this issue?
thanks,
mike
From cbabcock at kolonelpanic.com Wed May 20 23:36:48 2009
From: cbabcock at kolonelpanic.com (Chris Babcock)
Date: Wed, 20 May 2009 14:36:48 -0700
Subject: Can't enter passphrase in su session.
In-Reply-To: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com>
References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com>
Message-ID: <20090520143648.07b74643@mail.asciiking.com>
On Wed, 20 May 2009 20:00:42 +0100
mike _ wrote:
> Can anyone offer any insight in this issue?
http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html
In .bash_profile, you will have something *like* this:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`\
2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `/usr/bin/gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi
You *may* have something like this:
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
The code to launch gpg-agent needs to be in .bashrc if you want it to
execute for su users. If your .bash_profile executes your .bashrc as
above then you can remove the definition from .bash_profile.
Chris Babcock
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL:
From steveo at syslang.net Thu May 21 00:31:23 2009
From: steveo at syslang.net (Steven W. Orr)
Date: Wed, 20 May 2009 18:31:23 -0400 (EDT)
Subject: Can't enter passphrase in su session.
In-Reply-To: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com>
References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com>
Message-ID:
On Wednesday, May 20th 2009 at 15:00 -0000, quoth mike _:
=>I have an account, bob, on a machine that is used for building rpms
=>and then creating and signing a repository.
=>
=>If I log in to the machine as bob via ssh and run
=>
=>$ gpg -a --detach-sign somedir/repodata/repomd.xml
=>
=>then all is well.
=>
=>As the bob account will be used by multiple people I want to block ssh
=>logins for bob and have people log in via ssh with their own account
=>and use 'su -' to become the user. This then leaves a trail in the log
=>of who became bob when. But, if I log in to the machine as myself,
=>then do
=>
=>$ su - bob
=>
=>Then run
=>
=>$ gpg -a --detach-sign somedir/repodata/repomd.xml
=>
=>I get
=>
=>gpg: using PGP trust model
=>gpg: key B97DE878: accepted as trusted key
=>
=>You need a passphrase to unlock the secret key for
=>user: "Bob"
=>4096-bit RSA key, ID B97DE878, created 2009-05-19
=>
=>can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory
=>gpg: no running gpg-agent - starting one
=>gpg-agent[29808]: command get_passphrase failed: Operation cancelled
=>gpg: cancelled by user
=>gpg: no default secret key: General error
=>gpg: signing failed: General error
=>
=>I'm never given a chance to enter the passphrase, gpg just declares
=>failure and tells me I canceled the operation. Which I didn't.
=>
=>I've compared the output of 'env' for both an ssh login session and
=>'su -' session and apart from a few variables relating to ssh, they're
=>the same.
=>
=>There must be something different about the sessions that explains why
=>I'm never given a chance to enter the passphrase in the 'su -'
=>session, but I'm at a loss as to what.
=>
=>I did try searching the mailing lists and Google, but 'su' results in
=>an huge amount of (at least seemingly) irrelevant hits, so I gave up
=>fairly quickly!
=>
=>Can anyone offer any insight in this issue?
I'm going to take a stab at this one. If I'm wrong then I expect to be
suitibly chastised.
It seems like you need to read the man page on gpg-agent to make sure that
whether you log in directly, via su or via ssh, that the GPG_AGENT_INFO
variable be properly set. If you log in via X then you probably have the
variable set as part of your session. su will prevent that env var from
being passed through by default. That is configurable by using -m or by
using sudo instead of su and suitably configuring your sudoers file. Also,
ssh can be configured to set the variable, but you probably jujst want to
do it in your .bash_profile dependant on how DISPLAY is set.
--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
From allen.schultz at gmail.com Thu May 21 11:35:44 2009
From: allen.schultz at gmail.com (Allen Schultz)
Date: Thu, 21 May 2009 03:35:44 -0600
Subject: Key Transition Letter 2009-05-21
In-Reply-To: <3f34f8420905210234l7e21e2fn758456f155f9743c@mail.gmail.com>
References: <3f34f8420905210234l7e21e2fn758456f155f9743c@mail.gmail.com>
Message-ID: <3f34f8420905210235y1bb6b6f8sca6b9104776fa0d1@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256,SHA1
For the reason of SHA1 issues in the news, I've recently set up
a new OpenPGP key, and
will be transitioning away from my old one.
The old key will continue to be valid for some time, but i
prefer all future
correspondence to come to the new one. ?I would also like this
new key to be re-
integrated into the web of trust. ?This message is signed by
both keys to certify the
transition.
the old key was:
pub ? 1024D/EE79C636 2009-04-24
? ? ?Key fingerprint = 0DC0 D8F6 A3A7 C107 59C4 ?1512 579A F712
EE79 C636
uid ? ? ? ? ? ? ? ? ?Allen Schultz
uid ? ? ? ? ? ? ? ? ?[jpeg image of size 6128]
sub ? 2048g/762B1E36 2009-04-24
And the new key is:
pub ? 3072R/DAD4736B 2009-05-20
? ? ?Key fingerprint = 16AD EFE1 D68F C8A8 B086 ?68CD 1A35 85C7
DAD4 736B
uid ? ? ? ? ? ? ? ? ?Allen Schultz (aldaek)
sub ? 2048R/F55651E0 2009-05-20 [expires: 2010-05-20]
sub ? 2048R/5687B83E 2009-05-20 [expires: 2010-05-20]
To fetch my new key from a public key server, you can simply do:
?gpg --keyserver pgp.mit.edu --recv-key DAD4736B
If you already know my old key, you can now verify that the new
key is
signed by the old one:
?gpg --check-sigs DAD4736B
If you don't already know my old key, or you just want to be
double
extra paranoid, you can check the fingerprint against the one
above:
?gpg --fingerprint DAD4736B
If you are satisfied that you've got the right key, and the UIDs
match
what you expect, I'd appreciate it if you would sign my key:
?gpg --sign-key DAD4736B
Lastly, if you could upload these signatures, i would appreciate
it.
You can either send me an e-mail with the new signatures (if you
have
a functional MTA on your system):
?gpg --armor --export DAD4736B | mail -s 'OpenPGP Signatures'
allen.schultz at gmail.com
Or you can just upload the signatures to a public keyserver
directly:
?gpg --keyserver pgp.mit.edu --send-key DAD4736B
Please let me know if there is any trouble, and sorry for the
inconvenience.
Regards,
? ?--ads
PS: Transiition Letter idea copied from dkg
(http://fifthhorseman.net/key-
transition-2007-06-15.txt).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72
iQEcBAEBCAAGBQJKFSAVAAoJEMNyjCz1VlHgjWMH/iU0U/VR1/zdpM93pL72/sfc
E4OBBaz6LtHmvYJTS+lQ8EYBf9dMTd+R8r2Nh4tKCYj8oY6HhffCIhGUrgE73Gba
QQbZTE56pmWtwGwiki2a+rhK9y8du8X2pajBJurTqeSNRMv8q3iGkQPI/Wn6J/l3
gBdZYZ1zqJcFIYXzzm4y10+rOtShOuOwz43DrGas6cW4FETJGWA1WUQfoLYQ5L2c
mVf4y1zR6DY4nJ8zgpsJeWO5J3UJQaqpRKDvl2Ls3OdcZHJ0n1S3v1J1MK2X5Q5K
A5dKauvO82YGpq5c8JR1Zp2XCdDKTZ2qxRdgESCRj3X68uGceRTS9gd7WN5whZqI
RgQBEQIABgUCShUgFQAKCRBXmvcS7nnGNlcqAJ9l352qqohUIVoVE/Z+EA1HzXPQ
+gCfYCXuRN9aDq/HIwig5s9ElXBWVbQ=
=BThX
-----END PGP SIGNATURE-----
--
Allen Schultz
From Resul-Cetin at gmx.net Mon May 18 16:46:02 2009
From: Resul-Cetin at gmx.net (Resul Cetin)
Date: Mon, 18 May 2009 16:46:02 +0200
Subject: Changing usage of master key
In-Reply-To: <20090518163529.13695enz88rzt5wk@webmail.physik.uni-muenchen.de>
References: <200905151230.27573.Resul-Cetin@gmx.net>
<20090518163529.13695enz88rzt5wk@webmail.physik.uni-muenchen.de>
Message-ID: <200905181646.03701.Resul-Cetin@gmx.net>
On Monday 18 May 2009 16:35:29 Christoph Anton Mitterer wrote:
> In principle it is possible by issuing new self-sigs, but gnupg
> doesn't support this AFAIK.
Does there exist another program to do this (I won't tell anyone ;) )? The PGP
Desktop applications doesn't seem to be able to do anything advanced.
I will look at the gnupg source code to try to find the correct section to
manipulate the usage. But the info that it can be handled by a new self
signature helps a lot. Now I know that it doesn't get ignored by the
information stored on the key server. Thanks
Regards,
Resul Cetin
From Resul-Cetin at gmx.net Mon May 18 17:47:29 2009
From: Resul-Cetin at gmx.net (Resul Cetin)
Date: Mon, 18 May 2009 17:47:29 +0200
Subject: Changing usage of master key
In-Reply-To: <200905181646.03701.Resul-Cetin@gmx.net>
References: <200905151230.27573.Resul-Cetin@gmx.net>
<20090518163529.13695enz88rzt5wk@webmail.physik.uni-muenchen.de>
<200905181646.03701.Resul-Cetin@gmx.net>
Message-ID: <200905181747.29784.Resul-Cetin@gmx.net>
On Monday 18 May 2009 16:46:02 Resul Cetin wrote:
> On Monday 18 May 2009 16:35:29 Christoph Anton Mitterer wrote:
> > In principle it is possible by issuing new self-sigs, but gnupg
> > doesn't support this AFAIK.
>
> I will look at the gnupg source code to try to find the correct section to
> manipulate the usage. But the info that it can be handled by a new self
> signature helps a lot. Now I know that it doesn't get ignored by the
> information stored on the key server. Thanks
Ok, it was quite easy to do (not clean, but it could be done in a fast and
hackish way). Just searched for gnupg-1.4.9/g10/getkey.c:parse_key_usage and
changed p to non-const and always set "(*p) &=~2;". Afterwards I started my
new compiled hackish-gpg --edit-key and set the expire of my master key. After
this procedure I had only the Cert flag set. Thanks Christoph - you are my
personal hero of the day :)
Regards,
Resul Cetin
From Resul-Cetin at gmx.net Mon May 18 18:47:29 2009
From: Resul-Cetin at gmx.net (Resul Cetin)
Date: Mon, 18 May 2009 18:47:29 +0200
Subject: Changing usage of master key
In-Reply-To: <200905151230.27573.Resul-Cetin@gmx.net>
References: <200905151230.27573.Resul-Cetin@gmx.net>
Message-ID: <200905181847.29456.Resul-Cetin@gmx.net>
On Friday 15 May 2009 12:30:27 Resul Cetin wrote:
> Is there now a good way to move a subkey between two keys? The method
> described at http://atom.smasher.org/gpg/gpg-migrate.txt don't work because
> in the step "resign using the expire trick" doesn't work. I cannot see a
> usage behind the short output of the `key` command in --edit-key and when I
> try to save it after the resign, gpg will end with 2 as return code (I
> would assume that the key and its subkey wasn't saved). A export and
> reimport afterwards removes the "moved" key.
Just removed the do_check for sig->sig_class == 0x18 in sig-
check.c:check_key_signature2 and it worked. Please never ever do that at home.
Best regards,
Resul Cetin
From pawelzuk0 at gmail.com Wed May 20 11:25:21 2009
From: pawelzuk0 at gmail.com (=?ISO-8859-2?Q?Pawe=B3_=AFuk?=)
Date: Wed, 20 May 2009 11:25:21 +0200
Subject: GNUPG 1.2.1 problem
Message-ID: <4A13CC81.4020800@gmail.com>
I use gnupg 1.2.1 version
For same cases during decrypting I receive:
gpg: encrypted with 2048-bit RSA key, ID 453733BB, created 2006-02-13
"Comapny (User) "
gpg: md_enable: algorithm 8 not available
gpg: Signature made Tue May 19 16:10:09 2009 CEST using RSA key ID FD947F6A
gpg: Can't check signature: unknown digest algorithm
There is any possibility to skip this error.
I can not upgrade my current version of gnupg
Regards,
Pawe?
From FZaporozhets at medgate.com Wed May 20 19:53:47 2009
From: FZaporozhets at medgate.com (Fayina Zaporozhets)
Date: Wed, 20 May 2009 13:53:47 -0400
Subject: Question from GPG
Message-ID:
Good afternoon,
I have one problem encrypting the file using gnupg.
When I run:
cmd/c c:\gnu\GnuPG\gpg --homedir C:\GNU\GnuPG\pubrings\ --yes -e -r
"E3655B17" Medgate_LeaveOgAbsenceStatus_2009-05-20.csv 2>errors.txt
I'm getting the question:
pub 2048g/5A85DEB2 2008-07-14 Schneider B2B Services - UAT/Training
(UAT and Training Key.)
Primary key fingerprint: C2C0 304A E23A D0F5 2911 AE4F 0EBD 3829 E365
5B17
Subkey fingerprint: 40F1 EC5E 7BD0 B69B F0A2 96DC 4CF4 BFE6 5A85
DEB2
It is NOT certain that the key belongs to the person named in the user
ID. If you *really* know what you are doing, you may answer the next
question with yes.
Use this key anyway? (y/N)
I did trust and signed the key before:
C:\GNU\GnuPG>gpg --edit-key E3655B17
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024D/E3655B17 created: 2008-07-14 expires: 2018-07-12 usage: SC
trust: ultimate validity: ultimate
sub 2048g/5A85DEB2 created: 2008-07-14 expires: 2018-07-12 usage: E
[ultimate] (1). Schneider B2B Services - UAT/Training (UAT and Training
Key.)
C:\GNU\GnuPG>gpg --sign-key E3655B17
pub 1024D/E3655B17 created: 2008-07-14 expires: 2018-07-12 usage: SC
trust: ultimate validity: ultimate
sub 2048g/5A85DEB2 created: 2008-07-14 expires: 2018-07-12 usage: E
[ultimate] (1). Schneider B2B Services - UAT/Training (UAT and Training
Key.)
"Schneider B2B Services - UAT/Training (UAT and Training Key.)
" was already signed by key 0CA9461C
Nothing to sign with key 0CA9461C
Key not changed so no update needed.
What could be a problem?
Doing a Google search didn't really shed any new light on this either.
I need to schedule automatic process and this confirmation question does
not let me do it.
I'll appreciate any advice.
Thanks,
Fayina
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From arizonagroovejet at gmail.com Thu May 21 12:39:21 2009
From: arizonagroovejet at gmail.com (mike _)
Date: Thu, 21 May 2009 11:39:21 +0100
Subject: Can't enter passphrase in su session.
In-Reply-To:
References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com>
Message-ID: <5f65ad900905210339i501a2f4co7a97612c9215eccb@mail.gmail.com>
2009/5/20 Chris Babcock :
>
> In .bash_profile, you will have something *like* this:
> if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2
> [cut]
Nothing like that
bob at foo:~> grep -ir gpg-agent /etc/bash* 2>/dev/null
bob at foo:~> grep -ir gpg-agent /etc/profile* 2>/dev/null
bob at foo:~>
Nothing in ~/.bash* or ~/.profile* either.
2009/5/20 Steven W. Orr :
>
> If you log in via X
I don't. Never have. The machine doesn't have X installed.
Both the replies so far have made me realised that I'm guilty of
neglecting to include some relevant info.
When logged in via ssh, the session in which I do get prompted to
enter the passphrase, the output is as follows.
gpg: using PGP trust model
gpg: key B97DE878: accepted as trusted key
You need a passphrase to unlock the secret key for
user: "Bob"
4096-bit RSA key, ID B97DE878, created 2009-05-19
can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory
gpg: no running gpg-agent - starting one
[I am prompted to enter my passphrase via some sort of ncurses
interface. From output of strace it appears to be
/usr/bin/pinentry-curses]
File `/home/bob/rpmbuild/RPMS//repodata/repomd.xml.asc' exists.
Overwrite? (y/N) y
gpg: writing to `/home/bob/rpmbuild/RPMS//repodata/repomd.xml.asc'
gpg: RSA/SHA1 signature from: "B97DE878 Bob"
The "can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or
directory" message appears in both sessions. Hence the appearance of
this message does not appear to be related to my not being prompted to
enter the passphrase.
Also GPG_AGENT_INFO is not set in either the ssh or su sessions. Hence
it being set up properly or otherwise does not appear to be relevant
to my not being prompted to enter the passphrase in a su session.
Further investigation today reveals:
If I dump the output of env in the ssh session and in the su session
to files and then run diff I get
bob at foo:~> diff /tmp/env_ssh /tmp/env_su
8d7
< TERM=xterm
9a9
> TERM=xterm
12d11
< SSH_CLIENT=XXX.XXX.XXX.XXX 56278 22
15d13
< SSH_TTY=/dev/pts/0
26c24
< MAIL=/var/mail/bob
---
> MAIL=/var/spool/mail/bob
29d26
< SSH_SENDS_LOCALE=yes
47d43
< SSH_CONNECTION=XXX.XXX.XXX.XXX 56278 YYY.YYY.YYY.YYY 22
SSH_TTY is set in the ssh session but not the su session. Setting it
in the su session to the value it's set for by the user that ran su
doesn't help. (I.e. if I log in via ssh then check the value of
SSH_TTY, su to bob then set SSH_TTY to that value.)
When bob logs in, via ssh or via su, no gpg-agent process is started.
Under both sessions, after the attempt is made to sign a file, no
gpg-agent process is running. So when gpg says "gpg: no running
gpg-agent - starting one" presumably it starts one then kills it again
after the passphrase entry.
Under the su session, if I start a gpg-agent process manually I get this:
bob at foo:~> eval $(gpg-agent --daemon)
bob at foo:~> ps aux | grep gpg
bob 356 0.0 0.0 4016 480 ? Ss 11:14 0:00
gpg-agent --daemon
bob 358 0.0 0.0 3232 728 pts/0 S+ 11:14 0:00 grep gpg
bob at foo:~> echo $GPG_AGENT_INFO
/tmp/gpg-K81hbj/S.gpg-agent:356:1
bob at foo:~> gpg -a --detach-sign ~/rpmbuild/RPMS/repodata/repomd.xml
You need a passphrase to unlock the secret key for
user: "Bob"
4096-bit RSA key, ID B97DE878, created 2009-05-19
gpg: cancelled by user
gpg: no default secret key: General error
gpg: signing failed: General error
Again I'm not prompted to enter the passphrase.
So maybe the problem is that under su, gpg-agent fails to launch
/usr/bin/pinentry (which in turn decides whether to launch
pinentry-curses, or a QT or GTK equivalent). If I run gpg under strace
and look through the output there is no mention of /usr/bin/pinentry
being called, but there is in the ssh session. Why no attempt is to
launch /usr/bin/pinentry though I have not been able to determine.
thanks,
mike
From shavital at mac.com Thu May 21 13:28:30 2009
From: shavital at mac.com (Charly Avital)
Date: Thu, 21 May 2009 07:28:30 -0400
Subject: Key Transition Letter 2009-05-21
In-Reply-To: <3f34f8420905210235y1bb6b6f8sca6b9104776fa0d1@mail.gmail.com>
References: <3f34f8420905210234l7e21e2fn758456f155f9743c@mail.gmail.com>
<3f34f8420905210235y1bb6b6f8sca6b9104776fa0d1@mail.gmail.com>
Message-ID: <4A153ADE.80408@mac.com>
Allen Schultz wrote the following on 5/21/09 5:35 AM:
[...]
>
> Please let me know if there is any trouble, and sorry for the
> inconvenience.
[...]
No inconvenience.
Results of signature verification and key usage:
-----BEGIN GPG OUTPUT-----
gpg: Signature made Thu May 21 05:34:13 2009 EDT using RSA key ID F55651E0
gpg: BAD signature from "Allen Schultz (aldaek) "
-----END GPG OUTPUT-----
$ gpg --edit-key F55651E0
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 3072R/DAD4736B created: 2009-05-20 expires: never usage: SC
trust: unknown validity: unknown
sub 2048R/F55651E0 created: 2009-05-20 expires: 2010-05-20 usage: S
sub 2048R/5687B83E created: 2009-05-20 expires: 2010-05-20 usage: E
[ unknown] (1). Allen Schultz (aldaek)
[ unknown] (2) [jpeg image of size 6128]
Command> check
uid Allen Schultz (aldaek)
sig!3 DAD4736B 2009-05-20 [self-signature]
sig! EE79C636 2009-05-20 Allen Schultz
uid [jpeg image of size 6128]
sig!3 DAD4736B 2009-05-20 [self-signature]
To sum up (as far as I can sum up).
1. Your message (who shows in the PGP headers both SHA1 and SHA256)
shows that signature has been done using the signing subkey F55651E0 of
primary key DAD4736B.
2. Signature does not verify. Your photo file can be displayed.
3. Your primary key DAD4736B has been signed using EE79C636 (as you said
it would be):
$ gpg --edit-key EE79C636
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024D/EE79C636 created: 2009-04-24 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/762B1E36 created: 2009-04-24 expires: never usage: E
[ unknown] (1). Allen Schultz
Command> check
uid Allen Schultz
sig!3 EE79C636 2009-04-24 [self-signature]
4. I cannot sign your key, not because I am double extra paranoid or
even simple basic paranoid (which I am), but because I don't know you, I
can't ascertain that you are who to claim to be, or that the above key
or keys belong to you.
There are some basic rules to the Web of Trust.
Best regards,
Charly
From mail at 404not-found.de Thu May 21 15:01:30 2009
From: mail at 404not-found.de (Raimar Sandner)
Date: Thu, 21 May 2009 15:01:30 +0200
Subject: Question from GPG
Message-ID: <200905211501.31042.mail@404not-found.de>
On Wednesday 20 May 2009 19:53:47 Fayina Zaporozhets wrote:
> I did trust and signed the key before:
>
>
>
> C:\GNU\GnuPG>gpg --edit-key E3655B17
>
> gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
>
> This is free software: you are free to change and redistribute it.
>
> There is NO WARRANTY, to the extent permitted by law.
>
>
> pub 1024D/E3655B17 created: 2008-07-14 expires: 2018-07-12 usage: SC
>
> trust: ultimate validity: ultimate
>
> sub 2048g/5A85DEB2 created: 2008-07-14 expires: 2018-07-12 usage: E
>
> [ultimate] (1). Schneider B2B Services - UAT/Training (UAT and Training
> Key.)
From mail at 404not-found.de Thu May 21 15:15:18 2009
From: mail at 404not-found.de (Raimar Sandner)
Date: Thu, 21 May 2009 15:15:18 +0200
Subject: Key Transition Letter 2009-05-21
Message-ID: <200905211515.23209.mail@404not-found.de>
Hello
On Thursday 21 May 2009 11:35:44 Allen Schultz wrote:
> For the reason of SHA1 issues in the news, I've recently set up
> a new OpenPGP key, and
> will be transitioning away from my old one.
> This message is signed by
> both keys to certify the
> transition.
I have not recieved signatures with your mail, but Charly's reply implicates
that there is a signature, though it does not validate. I have switched to a
new mail system, I hope it does not strip away signatures :-/
> If you already know my old key, you can now verify that the new
> key is
> signed by the old one:
>
> gpg --check-sigs DAD4736B
I believe (an I think others do too) it is good praxis to not sign new keys
even if you have signed the old one and the new key is signed by the old one,
without personally checking with the keyholder first. After all, the new key
could have been compromised.
> If you don't already know my old key, or you just want to be
> double
> extra paranoid, you can check the fingerprint against the one
> above:
>
> gpg --fingerprint DAD4736B
If someone does _not_ know the old key, checking the fingerprint against an
untrusted source like an eMail is certainly not enough. It is crucial for the
web of trust that key/UID combinations are only signed after the fingerpint has
been confirmed by the keyholder in person, and the UID has been checked against
an official identification.
I think the best way to have your new key integrated in the web of trust is to
visit a keysigning party, or to look up key signers in your area at
biglumber.com.
Raimar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From mail at 404not-found.de Thu May 21 15:31:17 2009
From: mail at 404not-found.de (Raimar Sandner)
Date: Thu, 21 May 2009 15:31:17 +0200
Subject: Key Transition Letter 2009-05-21
In-Reply-To: <200905211515.23209.mail@404not-found.de>
References: <200905211515.23209.mail@404not-found.de>
Message-ID: <200905211531.21250.mail@404not-found.de>
On Thursday 21 May 2009 15:15:18 Raimar Sandner wrote:
> I believe (an I think others do too) it is good praxis to not sign new keys
> even if you have signed the old one and the new key is signed by the old
> one, without personally checking with the keyholder first. After all, the
> new key could have been compromised.
After all the _old_ key could have been compromised, that is what I meant :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From rjh at sixdemonbag.org Thu May 21 16:59:21 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 21 May 2009 10:59:21 -0400
Subject: AW: Re: laying groundwork for an eventual migration away from
SHA1 with gpg
In-Reply-To:
References:
Message-ID: <4A156C49.2040909@sixdemonbag.org>
This subject is increasingly off-topic for -devel. I've cc'd this
message to -users; let's see if we can't move the thread there.
Niels Dettenbach wrote:
> Hmmm, Keysigning parties makes sense if they strictly follow serious
> procedures and requirements - but can't give a 100% security (as the
> most other identity checks too). Even a Passport could be modified or
> cheated.
With a high-quality forged passport I can not only travel -- I can also
vote, run for (most) public offices, get utilities in my name, open bank
accounts, and so on. Those secondary pieces of documentation won't be
forgeries, they'll be real -- and once I have them, I destroy my forged
passport and settle into my new assumed identity.
If the attacker is smart enough and savvy enough to get a high-quality
forged passport, there's no way they'll present it for inspection to
someone who's actively looking for a forged passport. They'll present
their real (obtained illegally and containing incorrect information, but
quite real) identity documents instead.
Further, you won't find 100% security anywhere. Pursuing it is an
ephemera. You won't get there, and if you obsess over it your obsession
will ultimately hurt your security.
From dshaw at jabberwocky.com Thu May 21 18:00:40 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 21 May 2009 12:00:40 -0400
Subject: GNUPG 1.2.1 problem
In-Reply-To: <4A13CC81.4020800@gmail.com>
References: <4A13CC81.4020800@gmail.com>
Message-ID: <1BE5A7AF-80E3-481E-9A34-6E7915DE6591@jabberwocky.com>
On May 20, 2009, at 5:25 AM, Pawe? ?uk wrote:
> I use gnupg 1.2.1 version
> For same cases during decrypting I receive:
>
> gpg: encrypted with 2048-bit RSA key, ID 453733BB, created
> 2006-02-13 "Comapny (User) " gpg:
> md_enable: algorithm 8 not available
> gpg: Signature made Tue May 19 16:10:09 2009 CEST using RSA key ID
> FD947F6A
> gpg: Can't check signature: unknown digest algorithm
> There is any possibility to skip this error.
Yes. If you use the --skip-verify option to GPG, it will do the
decryption step, but not do the verification step.
Note, though, that may not be what you want if the signature over the
data is important to you. In that case, you must either upgrade or
ask the person sending you the message to use a digest algorithm that
you can handle. You can get a list of digests that you can handle by
typing "gpg --version". The "Hash" list is what you can handle.
> I can not upgrade my current version of gnupg
"Algorithm 8" is SHA-256. Those folks who want a switchover to
SHA-256, pay attention :)
David
From steveo at syslang.net Thu May 21 19:19:44 2009
From: steveo at syslang.net (Steven W. Orr)
Date: Thu, 21 May 2009 13:19:44 -0400 (EDT)
Subject: Can't enter passphrase in su session.
In-Reply-To: <20090520143648.07b74643@mail.asciiking.com>
References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com>
<20090520143648.07b74643@mail.asciiking.com>
Message-ID:
On Wednesday, May 20th 2009 at 17:36 -0000, quoth Chris Babcock:
=>On Wed, 20 May 2009 20:00:42 +0100
=>mike _ wrote:
=>
=>> Can anyone offer any insight in this issue?
=>
=>http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html
=>
=>In .bash_profile, you will have something *like* this:
=>if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`\
=>2>/dev/null; then
=> GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
=> export GPG_AGENT_INFO
=>else
=> eval `/usr/bin/gpg-agent --daemon`
=> echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
=>fi
=>
=>You *may* have something like this:
=>
=>if [ -f /etc/bashrc ]; then
=> . /etc/bashrc
=>fi
=>
=>
=>The code to launch gpg-agent needs to be in .bashrc if you want it to
=>execute for su users. If your .bash_profile executes your .bashrc as
=>above then you can remove the definition from .bash_profile.
This topic is getting far more complicated than you might expect. Setting
environment variables needs to be done from your .bash_profile . It
happens once when you log in and all child processes inherit the resulting
variables.
If you use su then you do not go through the .bash_profile unless you use
the - option. i.e., "su - bob" will go through bob's .bash_profile but
"su bob" will only go through the .bashrc .
The same is true of ssh. If you ssh to a host to create a session then you
will go through the .bash_profile but if you ssh to a host to just execute
a command then you will only go through the .bashrc .
The proper way to deal with this is to:
* Source in your .bashrc from your .bash_profile
* Set all of your environment variables in your .bash_profile
* Check in your .bashrc to see if PS1 is set. If not then you are not in
an interactive session and you need to set critical environment variables.
Usually PATH is the only one you need to set.
if [[ -n "${PS1}" ]]
then
: Do interactive stuff. Set aliases and variables, etc.
else
. ~/.bash_pathset
fi
--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
From jmoore3rd at bellsouth.net Thu May 21 19:38:57 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Thu, 21 May 2009 13:38:57 -0400
Subject: GNUPG 1.2.1 problem
In-Reply-To: <4A13CC81.4020800@gmail.com>
References: <4A13CC81.4020800@gmail.com>
Message-ID: <4A1591B1.8000107@bellsouth.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Pawe? ?uk wrote:
> I can not upgrade my current version of gnupg
Can You please be more specific regarding why You cannot Upgrade GnuPG?
Since You are apparently using a Windows O/S [based upon the version of
Thunderbird this message was sent with] I am wondering why You are
unable to simply swap the pertinent Binary Files with ones for a newer
version in Your installation. :-\
JOHN ;)
Timestamp: Thursday 21 May 2009, 13:38 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn5019: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx
iQEcBAEBCgAGBQJKFZGvAAoJEBCGy9eAtCsPkBUH/AwyMlaJ+evYieKI8GG7Xi2E
sQ07BoNoYzFUo1ELxYYK/J8H3hduC7TtoWVV7eUFqU6qqTCHSlzAPQk9M+jc4k4u
YcPchp4lpBQ+suA6eOtBiePqvca86ggYKNtEp9XxMwTqlvy81ULIwTC9PsN0zKyh
JCFYkZhAAa0X6eX573u3UcA7wDSAm3LhMNhBZL/FvmTToEg3WNJVWFO3QZOsKrjQ
urV5USDjfCK68Dd8BxXevRXCPI1g9AQFVDewTaxRAPgF/ntMBIxHT9k3ukZJkF9U
0JTseIVCQDWe6NnyZNqO12ZcR2Ccpy09HUVsxxMHwBIP/b4WiYH4RSJNjZMbLtI=
=vtIb
-----END PGP SIGNATURE-----
From allen.schultz at gmail.com Thu May 21 18:48:43 2009
From: allen.schultz at gmail.com (Allen Schultz)
Date: Thu, 21 May 2009 10:48:43 -0600
Subject: Key Transition Letter 2009-05-21
In-Reply-To: <200905211531.21250.mail@404not-found.de>
References: <200905211515.23209.mail@404not-found.de>
<200905211531.21250.mail@404not-found.de>
Message-ID: <3f34f8420905210948t3974f29fpf6b7cb5264ec890f@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, May 21, 2009 at 7:31 AM, Raimar Sandner wrote:
> After all the _old_ key could have been compromised, that is
what I meant :)
Thank you for the information. I will clearsign this using the
new key only.
EE79C636 has already been updated [and uploaded] with an
expiration date. This key is outdated due to the SHA-1 break in
collisions.
pub 1024D/EE79C636 2009-04-24 [expires: 2009-08-19]
Key fingerprint = 0DC0 D8F6 A3A7 C107 59C4 1512 579A F712
EE79 C636
uid Allen Schultz
uid [jpeg image of size 6128]
sub 2048g/762B1E36 2009-04-24
As far as signing or verifying through email. The subject has
already been discussed. Again, it's your choice. I may sign at a
"unverified - fingerprint through unsecure medium" per the
questions gpg asks. It does not validate the rest of my public
ring. But that was only done with the older EE79C636 as of the
signing of this email.
Let me know if this signature does not work either.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72
iQEcBAEBCAAGBQJKFYWWAAoJEMNyjCz1VlHgo3YH/05JARgW8utXay9rR7nIe7lI
b1aRHYxTVslXKEKOiGk4PqAWkVCPbdly2dOzta/q1r+yq1HOXDe9v8mfMFstJdMd
MTDhZd7QF9Cc2o586Nz1zHbGqkNvBb4U3oO+4AkgjmZMzL3IMXeYvUCvWbKHm7uh
Bd0ofmYC/ABFCKR0jSrn/Zfs3Qf0fAXomPuuPSSpTghVZyeTyAvwtnda5tqvmjmh
2DK2SGJ0c6yC8GbHFzS2np8plL957FpnEHfrTkxfuOw6GVNixOvrcAlyepkX2rW+
Vi3KfSrVIp2KOxTy6pOSkXLnweFY5C9fKsgEpS2hnUpy43L0YeChu7bQDRWHKlA=
=wFD0
-----END PGP SIGNATURE-----
--
Allen Schultz
pub 3072R/DAD4736B 2009-05-20
Key fingerprint = 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B
uid Allen Schultz (aldaek)
uid [jpeg image of size 6128]
sub 2048R/F55651E0 2009-05-20 [expires: 2010-05-20]
sub 2048R/5687B83E 2009-05-20 [expires: 2010-05-20]
From jmoore3rd at bellsouth.net Thu May 21 20:18:08 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Thu, 21 May 2009 14:18:08 -0400
Subject: Key Transition Letter 2009-05-21
In-Reply-To: <3f34f8420905210948t3974f29fpf6b7cb5264ec890f@mail.gmail.com>
References: <200905211515.23209.mail@404not-found.de> <200905211531.21250.mail@404not-found.de>
<3f34f8420905210948t3974f29fpf6b7cb5264ec890f@mail.gmail.com>
Message-ID: <4A159AE0.4000004@bellsouth.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Allen Schultz wrote:
> Thank you for the information. I will clearsign this using the
> new key only.
> Let me know if this signature does not work either.
OpenPGP Security Info
UNTRUSTED Good signature from Allen Schultz (aldaek)
Key ID: 0xF55651E0 / Signed on: 5/21/2009 12:47 PM
Key fingerprint: 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B
Works much better with just a single Signature. :-D
JOHN 8-)
Timestamp: Thursday 21 May 2009, 14:17 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn5019: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx
iQEcBAEBCgAGBQJKFZreAAoJEBCGy9eAtCsPooYIAJvpfHU++TMnzzIk+WeK2TJt
/aHasNt68bdMw0O9MDc7pHkzuH4tEpW5LSa9sf9M6/EexbNovLBkb1JFMeGajHSc
VrTtiozjXos33qcL9D155gCHb//T0QtFKvDKZWCsYP403wtlMEiQL8YiP3lwGmLk
H3+g0O0/rS0k+ZSyiEYjYk0n92W40SoOOJyBtN87DEjW/av66OQRJSFjSO2Avk1j
OZRHvkh+HM/xZWbNI1ffCaaGJKMSTLHKA/xtMOiC+NdUpWuNo+pZvVQTZLqjI4NW
JM+qQU0aeS5tSo9EwqMKflBGOWPDm5VL6+mVBMe76+uawOqSXQL45Tp8dBeBons=
=jnd6
-----END PGP SIGNATURE-----
From rjh at sixdemonbag.org Thu May 21 20:24:53 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 21 May 2009 14:24:53 -0400
Subject: laying groundwork for an eventual migration away from SHA1 with
gpg
In-Reply-To: <4A159976.1000708@bellsouth.net>
References: <4A01226D.4050606@fifthhorseman.net> <97618F71-F4DD-4F10-B242-6C33A4D8AE72@jabberwocky.com> <4A034B33.8050901@fifthhorseman.net> <8A8B2763-4FB3-4B22-BD86-CFB2FC430C73@jabberwocky.com> <4A045E0C.6000304@fifthhorseman.net> <946F33F5-5F87-4BF7-A581-4B81B6856332@jabberwocky.com> <4A049D52.3000304@fifthhorseman.net> <0945226C-197C-4ED6-9A27-E9272A6FEA3F@jabberwocky.com> <8763g34x25.fsf@pond.riseup.net>